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Preface 



This volume contains the proceedings of the 20th International Conference on 
Application and Theory of Petri Nets. The aim of the Petri net conferences is to 
create a forum for the dissemination of the latest results in the application and 
theory of Petri nets. Typically there are some 150-200 participants and usually 
one third of these come from industry, while the rest are from universities and 
research institutions. The conferences and a number of other activities are coor- 
dinated by a steering committee formed by: G. Balbo (Italy), J. Billington (Aus- 
tralia), C. Girault (France), K. Jensen (Denmark), S. Kumagai (Japan), G. De 
Michelis (Italy), T. Murata (U.S.A.), C.A. Petri (Germany; honorary member) 
W. Reisig (Germany), G. Roucairol (France), G. Rozenberg (The Netherlands; 
chair), M. Silva (Spain). 

The 1999 Petri net conference took place in Williamsburg, Virginia, and was 
organized by the Department of Computer Science of The College of William 
and Mary, Williamsburg. This was the second time the conference had been 
organized in the United States. We received 45 submissions from 15 countries 
on 5 continents of which 21 accepted for presentation. The submitted papers 
were evaluated by a program committee with the following members: W. van 
der Aalst (The Netherlands), P. Azema (France), W. Brauer (Germany), S. 
Christensen (Denmark), A. Desrochers (U.S.A.), S. Donatelli (Italy; co-chair), 
C. Girault (France), L. Gomes (Portugal), J. Hillston (United Kingdom), E. 
Kindler (Germany), H.C.M. Kleijn (The Netherlands; co-chair), S. Kumagai 
(Japan), C. Lakos (Australia), A. Levis (U.S.A.), J. Lilius (Finland), T. Mu- 
rata (U.S.A.), G. Nutt (U.S.A.), K. Onaga (Japan), W. Penczek (Poland), L. 
Pomello (Italy), W. Sanders (U.S.A.), M. Silva (Spain), D. Simpson (United 
Kingdom), P.S. Thiagarajan (India), K. Trivedi (U.S.A.), R. Valette (France), 
R. Valk (Germany), A. Yakovlev (United Kingdom), W. Zuberek (Canada). The 
meeting of the program committee took place in Leiden, The Netherlands. In 
addition to the submitted contributions, there were three invited lectures by 
P. Varaiya (U.S.A.), B.H. Krogh (U.S.A.), and G. De Michelis (Italy). Other 
activities before and during the conference included a work-in-progress session, 
tool presentations and demonstrations, extensive introductory tutorials, two ad- 
vanced tutorials on Performance Analysis and on Distributed Algorithms, and 
two workshops on Hardware Design and Petri Nets and on Applications of Petri 
Nets to Intelligent System Development. 

We would like to express our gratitude to all authors of submitted papers and 
to the members of the program committee and the referees assisting them in 
providing almost 200 referee reports. We thank M. Boon- van der Nat and D. 
Costa for their efficient secretarial support. We greatly appreciate the efforts of 
the organizing committee in Williamsburg, G. Ciardo (chair), E. Smirni, D.S. 
Noonan, and M.D. Maurer. Also the excellent cooperation with A. Hofmann of 
Springer- Verlag is gratefully acknowledged. 
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Design, Simulation, and Implementation of 
Hybrid Systems* 



Pravin Varaiya 
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Berkeley, CA 94720, U.S.A 
varaiyaSeecs . berkeley . edu 



Abstract. This talk will present two detailed examples of hybrid sys- 
tems, covering design, simulation and implementation. The first concerns 
an Automated Highway System. The second application deals with a col- 
lection of autonomous unmanned aircraft. The paper provides a back- 
ground about hybrid systems. 



1 What Is a Hybrid System 

A hybrid system or automaton comprises two interacting components: one com- 
ponent evolves in continuous time and has state variables x G i?”, the other 
is event-driven and has finitely many states q G Q. With each discrete state 
q is associated a differential inclusion x G F{q,x). Here F{q,x) C i?". Associ- 
ated with each pair {q, q') is an “enabling zone” or “guard” G{q, q') C i?” (if 
the guard is empty the discrete transition q ^ q' is infeasible), and a “reset” 
relation R{q, q') C i?" x i?". 

Suppose the system starts in state (qo^Xo) at time to- The continuous state 
evolves during the time interval [to,ti) according to the inclusion 

x{t) G F{qo,x{t)), x{to) = xo 

until a time ti is reached when a;(ti— ) G G{qo,qi) for some qi. Because the 
guard of the transition qo —>■ q\ is now satisfied, the discrete state changes 
instantaneously from q^ to q\, and the continuous state is reset from x(ti~) 
to X\ where ), a;i) G R{qo,qi). (If another guard is satisfied following 

the reset, there may be another discrete transition.) The continuous state now 
evolves during [^1,^2) according to 

x{t) G F{qi,x{t)), x{ti) = xi 

until at t2 another guard is satisfied and the system makes a discrete transition 
and resets the continuous state as before. 

Thus a system trajectory evolves in two phases. In the first phase, the discrete 
state is unchanged, time progresses and the continuous state evolves. In the 

* Research supported by National Science Foundation and Office of Naval Research. 
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second phase, time stops, the discrete state makes a transition and the continuous 
state is reset. In this definition, the hybrid system is non-deterministic: the 
differential inclusion may permit more than one continuous state trajectory; and 
more than one guard may be satisfied, permitting a choice of discrete transition. 
Additional conditions on F, G and R are needed to ensure the existence of a 
trajectory, its continuation for arbitrarily large time, or to make the system 
deterministic. 

Hybrid system models are appropriate in several contexts. In one context a 
computer or human swnbol-processing system provides high level supervision of 
a continuous process^ An example is an automated vehicle whose maneuvers 
are planned and coordinated at a logical level but executed using continuous 
time feedback laws that determine the throttle, braking, and steering actuator 
signals Another example is in our daily use of “common sense” rules to con- 
trol sophisticated processes such as microwave ovens, automobiles and copying 
machines, without understanding the physical and engineering principles that 
govern the behavior of those processes. A different context is that of “switched” 
dynamical systems characterized by differential equations whose right-hand side 
changes discontinuously when the state reaches a switching surface. An auto- 
matic gear shift vehicle would be described by such a switched differential equa- 
tion! 



2 Decidability and Verification 

The reach set R{q, x,t) ofa hybrid system is the set of all states in Q x R^ that can 
be reached at time t, starting in state {q, x) at time 0. Many properties of system 
behavior can be formulated in terms of the reach set. For instance, “safety” 
means that a specified “unsafe” set U is never reached, i.e. R{qo,xo,t) n [/ = 0 
for every t. And “liveness” means that a set S can be reached infinitely often, 
i.e. R{qo, xo,t) n S ^ ^ for arbitrarily large t. Thus the ability to calculate the 
reach set permits one to evaluate many properties. The hybrid system is said 
to be decidable if there is a finite algorithm for computing its reach set, it is 
undecidahle if there is no such algorithm. 

Most hybrid systems are undecidable, which is not unexpected. The funda- 
mental result here is that timed automata are decidable Q. These are hybrid 
automata with the simplest inclusions: Xi = 1, (so that the n continuous variables 
Xi all are ‘timers’ or ‘clocks’); the guards all are conjunctions or disjunctions of 
the form Xi >- c where is >,>,<,< and c is an integer; and if a continuous 
state variable is reset, it is reset to the value 0. Timed automata are used in ap- 
plications to express real-time restrictions. The fundamental result implies that 

^ Indeed in compnter science, it is customary to refer to the discrete state as a (control) 
location, indicating its supervisory status. 

^ About 80 percent of the control code for highly automated systems such as a Flight 
Control System is now concerned with logic (discrete transitions, guards, resets) 
and 20 percent deals with continuous states (differential inclusion). Hybrid system 
models are essential if one wishes to fully describe these control systems. 
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properties of a digital circuit or real-time control algorithm expressed as a timed 
automaton can be automatically verified| 

The decidability of timed automata would be unsurprising if time were dis- 
crete, rather than continuous. It was shown in Q that if all guards are closed (i.e. 
only > and < are permitted), then time can be discretized. In Q it is shown that 
discretization is possible even when guards are open, although the construction 
is no longer intuitive. 

A multirate automaton is a generalization of a timed automaton in which 
the timers may have different rates: Xi = r{q) in discrete state g, where r{q) 
is an integer not necessarily equal to unity. That there is something special 
about timed automata is suggested by examples of multirate automata that are 
undecidable. Much work has been devoted to delineating multirate automata 
that are decidable. 

An important class of decidable hybrid systems are the rectangular automata. 
These are systems in which the inclusions F{q,x), the guards G{q,q') and the 
resets R{q, q') are all rectangles, i.e. of the form HI®*: ^ith integer coordinates. 

In particular, the differential inclusions impose only an upper and lower bound 
on the velocity of each coordinate (the bounds may depend on the discrete state) 

Xi G [li{q),Ui{q)\, i = 1, ...,n. 

A rectangular system is initialized if in each discrete transition {q — > q') that 
leads to a change in the inclusion of a component of the continuous state (i.e. 
{li{q) , Ui{q)} ^ {li{q'),Ui{q')})^ that component is reset during the transition. 
The main result of | is that initialized rectangular automata are decidable. The 
whole issue of decidability of hybrid automata is thoroughly explored in Q. 

The next question is: How general are (initialized) rectangular automata? 
One answer developed in is that rectangular automata can be used to up- 
perbound the behavior of general hybrid systems, which permits verification of 
safety properties. The second answer is that it is possible to approximate any 
nonlinear inclusion arbitrarily closely over any finite interval by a rectangular au- 
tomaton Q]. It is important to extend this approximation result over the infinite 
time interval. 

Software tools, based on these decidability results, have been developed to 
verify control system designs 

3 Simulation 

SHIFT is a programming language for simulating a network of interacting hybrid 
systems ^3- SHIFT hybrid systems can interact in one of three ways. First, 

® The annual workshop on Computer Aided Verification provides a forum for results 
in this area and the annual Hybrid Systems workshop serves an analogous function. 
Papers presented at these workshops are published in the LNCS series of Springer. 
In addition, the annual Conference on Decision and Control now features one stream 
of sessions devoted to hybrid and discrete event systems. The February 1998 issue 
of the Transactions on Automatic Control is dedicated to hybrid systems. 
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outputs of one system can be inputs of another. Second, the discrete transitions 
in several systems can be synchronized. Third, the interactions among systems 
can change dynamically: for example, the input-output connections can be made 
to depend on the state of the overall system. These facilities for describing hybrid 
systems and their interactions make SHIFT a very flexible and powerful language 
for describing hybrid systems. SHIFT is object oriented which makes it well- 
suited for developing applications in teams. Several other features (type checking, 
debugging) make it easy to learn. 

SHIFT has been extensively used in the detailed simulation of hundreds of 
interacting automated vehicles. The SHIFT simulation environment is available 
free and runs on UNIX and NT platforms Q. Tools for verification of some 
SHIFT programs are being developed. 

4 Implementation 

The synchronization procedures of SHIFT make it a very powerful language 
for simulating complex systems. However, these procedures cannot be realized 
in real time. A recent commercial system, Teja, not only provides SHIFT-like 
high-level constructs for designing hybrid system controllers, but it also automat- 
ically generates code for real-time control. Teja provides a visual environment 
for modeling the application, a platform for simulation and testing the real-time 
performance, a facility for managing a distributed application, and a real-time 
execution platform 
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Abstract. We present a new technique for the generation and storage 
of the reachability set of a Petri net. Our approach is inspired by previ- 
ous work on Binary and Multi-valued Decision Diagrams but exploits a 
concept of locality for the effect of a transition’s firing to vastly improve 
algorithmic performance. The result is a data structure and a set of ma- 
nipulation routines that can be used to generate and store enormous sets 
extremely efficiently in terms of both memory and execution time. 
Classification: Reachability set generation. System verification. 

Computer tools. 



1 Introduction 

The generation of the state space, or reachability set, S for a discrete-state model 
is an essential step in many types of studies. In the case of logical verification, 
the goal might be to ensure that no “bad” states satisfying certain boolean 
conditions can be reached from the initial state. In the case of Markov stochastic 
modeling, the reachable states determine the size and meaning of the probability 
vector computed as a result of a numerical solution. In either case, Petri nets 
(or stochastic Petri nets) are often the formalism of choice to describe such 
discrete-state models in a formal and compact way. 

For the type of problems we consider, S is finite but its size is so large 
that its exploration and storage become formidable challenges. Implementors of 
computer tools for the analysis of stochastic Petri nets quickly found out that the 
effort to generate S and the infinitesimal generator matrix Q of the underlying 
model was often comparable to that of the numerical solution of the Markov 
chain. Analogously, S could easily require an amount of storage comparable to 
that of Q. In practice, these tools could manage reachability sets ranging in size 
from 10^ to perhaps 10® states, depending on the quality of the implementation 
and on the amount of primary memory available. 

To move beyond these limitations, innovative approaches had to be employed. 
In Sect. I we briefly present two lines of work that are related to, and indeed 
inspired, our research. One is represented by the 1994 paper by Pastor et al. 

* A.S. Miner’s work was supported by fellowships from the NASA Graduate Student 
Research Program and the Virginia Space Grant Gonsortium 

S. Donatelli, J. Kleijn (Eds.): ICATPN’99, LNCS 1639, pp. 6-^| 1999. 

@ Springer-Verlag Berlin Heidelberg 1999 
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who proposed the use of Binary Decision Diagrams (BDDs) for the storage 
and generation of the reachability set for a safe (1-bounded) Petri net. By exploit- 
ing the compact representation of BDDs, they generated very large reachability 
sets in a matter of hours, with small storage requirements. In later work 
a more efficient encoding is introduced based on place invariants; however, the 
underlying logic is still based on binary variables. In our work, we instead use 
an extension of BDDs to non-binary logic, as proposed for the Multi-valued De- 
cision Diagrams (MDDs) of Kam |_n^3, or the “shared trees” of Zampunieris 
Our title uses the term “decision diagrams” because the results we present, 
while particularly relevant to MDDs, apply also to BDDs. 

We are also building upon our own previous work on state space storage Q . 
By using a multilevel data structure based on a decomposition of a Petri net 
into submodels, we showed how S can be stored using little over a small integer 
(i.e., one or two bytes) per state. While this amount is linear in |5| (unlike the 
results achieved by Pastor with BDDs, which are sublinear for most models of 
interest), the reason for introducing our structure was that it fulfills many of 
the needs of numerical approaches based on Kronecker algebra for this 

application, we have shown how it substantially improves the solution time for 
very large and sparse problems Q. Furthermore, for exact numerical solution, 
one or two bytes per state represents a small fraction of the overall memory 
requirements, which include several single- or double-precision vectors of size 
|5|. Another idea exploited in ^ was that of event locality: the realization that 
we can automatically detect a priori the identity of the submodels affected by a 
given event, so that only the corresponding “local substates” change when the 
event occurs. This concept of locality, appropriately extended when applied to 
MDDs, enables us to achieve great speedups. 

Another related work is Q, which also considers a state space S defined as 
a subset of the cross-product Sk x • • • x of arbitrary sets. Starting from the 
representation of 5 as a boolean vector of size • • - |5i| suggested in Q, 
common bit subvectors are merged. However, the intent in Q is the Kronecker- 
based numerical solution of stochastic Petri nets, so no attempt is made to 
generate state spaces of the size considered in 

In the theoretical results of Sect. Q we combine the main idea of BDDs 
(merging common subtrees in the data structure used to encode S) with our idea 
of locality (limiting the computation and effect of a given event to the affected 
submarkings) and of model decomposition (defining a marking as a collection of 
submarkings, not necessarily from a safe net, encoded as a vector of small integer 
indices), to obtain a very efficient approach for the storage and generation of S. 

Sect. 5 explores some implementation issues that affect memory and time 
complexity. In Sect.^ we apply our approach to various models previously con- 
sidered in the literature. For the two applications reported in , our approach 
is much faster and more memory-efficient, hence it can generate much larger 
states spaces (9.18 x 10®^® and 7.29 x 10®^ states, respectively). 

Finally, Sect.Jstates our conclusions and future research directions. 
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2 Background and Related Work 

Our definition of Petri net is quite general, admitting inhibitor arcs, transi- 
tion guards, and marking-dependent arc multiplicities Since any of these 
extensions achieves Turing-equivalence, we assume that the Petri net model 
has a finite reachability set S. Formally, we represent a Petri net as a tuple 
(V, T, /, O, H, g, m[°l) where: 

— V = {pi, ...,p|-p|} is a finite set of places. A marking m S assigns a 

number of tokens to each place. 

— T = {t \, ..., t\r\} is a finite set of transitions, with V C\T = 0. 

— I :V xTx iVl^l ^ N,0 :PxT X ^ N, and H : P x T x ^ 
iVUjoo} describe the marking-dependent multiplicities of the input, output, 
and inhibitor arcs. 

— g-T X ^ {0, 1} describes the transition guards. 

— m [0] g ^|-P| 

is the initial marking. 

A transition t is enabled in m, we write Enabled {t, m), iff 

g{t,m) = l A ypiGP, < m.i A H{pi,t,m) > m.i. 

Firing an enabled transition t in m leads to n = New{t, m), satisfying 



Vpi G P, rii = nii - I{pi,t,m) -|- 0{pi,t,m). 

The reachability set S is then defined as the smallest subset of that 
contains and is closed under the one-step reachability relation; that is, if 
m G 5, Enabled {t, m), and n = New{t, m), then n G 5 as well. 

Since our goal is the efficient generation and storage of 5, we briefly describe 
the traditional approach. An algorithm that iteratively builds S, by processing 
one marking at a time, is shown in Fig.J Its execution time is then at least 
0(|5| • \P\ ■ |T|). Indeed, it can be worse, since statement H requires to search 
for a newly generated state n in the set of currently known states. If S and U 
are stored using some type of search tree (e.g., AVL or Splay trees ^ or B-trees 
H), this implies an additional log |5| factor. 

Considering now the memory usage, a simple approach is to store 5 as a 
search tree where the keys are markings encoded as vectors of jPl natural num- 
bers (or booleans, for safe nets). However, this requires 0{\P\ ■ |5|) bytes. Sparse 
techniques can be used to store the marking vectors, but these are only moder- 
ately beneficial, and only when most markings have many zero entries. 

2.1 A Multilevel Data Structure to Store S 

Given a Petri net, we can partition its set of places P into K subsets Pk, k = 
AT, . . . , 1, and define Sk to be the set of reachable “local” submarkings for Pk'. 



Sk = {uifc : druif , . . . , nifc+i, mfc_i, . . . , rui, [m^, . . . , nii] G S}. 
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ExploreiV, T, I, O, H, g, 



1. 5 ^ 0; 

2. W «- 

3. while W 7 ^ 0 do 

4. choose a marking m in W; 

5. move m from U to S’, 

6. for each transition t such that Enabled{t, m) do 

7. n ^ New{t,m)’, 

8. if n ^ 5 U W then 

9. U ^ WU{n}; 

10. return 5; 



• 5: markings explored so far 
• U: markings found but not yet explored 



Fig. 1. A procedure Explore to generate S. 




In we discussed a data structure to store a subset S (the actual state 
space) of a cross-product Sk x ■■■ x Si of K sets (the potential state space). 
Fig. I illustrates the idea using arrays. At the top level, there is (at most) one 
instance of each submarking mx S Sk , and the corresponding pointer points to 
the submarkings for the remaining levels that can coexist with mx, that is, all 
[va.x- 1 , ■ ■ ■ , mi] such that [vo.k, ■ ■ ■ , mi] G S, and so on. To determine whether a 
given marking m = [mx, ■ ■ ■ , mi] is reachable, we search for m.x in the grayed- 
out portion of level K. If found, we follow the pointer identifying the grayed-out 
portion of level A" — 1, search that portion for m.x-i, and repeat until either 
we find mi in the grayed-out portion of level 1, or we fail to find a submarking 
mfc, for some fc = AT, . . . , 1. In the former case, the marking m is reachable and 
the offset of the position where we found mi in the array for level 1 indicates 
the lexicographic order •F(m) of m in 5 (i.e., the number of reachable markings 
smaller than m). In the latter case, m is not reachable. 

In practice, it is much more efficient to use the index of a submarking in the 
data structure encoding S, not the actual submarking, hence only ]"log 2 |5fc|] 
bits are required for each submarking stored at level k. Assuming a sufficiently 
large branching factor from each level to the next, the memory requirements are 
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dominated by the bottom level, for which no pointers are required. Thus, we can 
store S in little over |5| • |"log 2 |5i|] bits. 

Arrays are used in Q to reduce memory requirements after having completed 
the exploration of S. However, during the exploration, the same approach re- 
quires a dynamic data structure allowing efficient search and insertion (e.g., an 
AVL or Splay tree) for each grayed-out portion at each level; we stress that, in 
this case, a priori knowledge of the sets Sk is not required, although a decision 
must be made about an upper bound on their size, so that indices can be stored. 
In practice, one, two, or four bytes are used (four bytes being rarely needed, as 
most local reachability sets contain no more than 2® or 2^® elements). 

Another concept from Q that inspired our current work is the locality of 
a transition. By examining the Petri net definition, it is possible to determine 
(conservatively) what places are affected when transition t fires. Then, we define 
the locality k* of t as the largest k such that Vk contains an affected place, and 
we know that any submarking rrifc, for k = K, k* + 1 is not affected by t. 

By exploiting locality we achieve greater efficiency during both exploration of 
S and subsequent searches (needed, for example, in a Kronecker-based Markov 
analysis). If n = New{t,m), and we know the K pointers, or offsets into the 
K arrays, (m/f), !f/f_i(mif , niif_i), . ■ . .,mi) = if'(m) for m, the 

search for n into our multilevel data structure can start at level fc*, since we know 
that rifc = mfc, hence <Fk{n.K , ■ ■ ■ , rt-k) = <l'k{niK, ■ ■ ■,m.k), for k = K, . . . , k* + 1. 

2.2 Using BDDs to Store S 

It is well-known that a boolean function / : {0,1}” — > {0,1} can be repre- 
sented as a boolean vector of size 2” indexed starting at zero, where the entry 
in position • • • 5i, interpreted as an unsigned n-bit integer in base 2, is 0 iff 
f{bn, . . . ,bi) = 0. However, this representation requires exponential space. BDDs 
were introduced to alleviate this problem, as they allow one to encode and 
compute many boolean functions of interest in a very compact way. 

A binary decision diagram (BDD) is a directed, acyclic graph with terminal 
nodes, labeled from the set {0,1}, and non-terminal nodes, labeled from the 
set of variable names. Only non-terminal nodes have outgoing arcs, and each 
non-terminal node has exactly two outgoing arcs, labeled 0 and 1. Every non- 
terminal node in the graph represents some logic function /. A non-terminal 
node is represented by the tuple {x, fx=o, fx=i), where x is the variable name, 
the 0 and 1 arcs point to the cofactors fx=o and fx=i, respectively (given a 
function / on variables xi, . . . , Xn, the cofactors of / with respect to Xi are 

fxi—c — f{^n: • ■ • : ^i+1: 0, Xi—l^ ■ • • : ^l))- 

An ordered BDD (OBDD) has a total ordering on the variables such that any 
path of the graph must visit variables in that order. Finally, a reduced OBDD 
(ROBDD) has the following properties: there are at most two terminal nodes, 
with labels 0 and 1, there is no non-terminal node {x, fx=o, fx=i) with fx=o 
equal to fx=i, and all non-terminals are unique, i.e., there are no two nodes 
{x, fx=o, fx=i) and (x, gx=o, gy=i) where {fx=o = gx=o) A {fx=i = gx=i)- Given 
a total ordering on the variables, ROBDDs are a canonical representation: two 
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BDDexploreiV, 




1. O ^ 0; 


• O', old reachability set 


2. 5 ^ {m™}; 


• S: current reachability set 


3. while S O do 




4. 0^5; 




5. 5 ^ A(5)U5; 




6. return <S; 





Fig. 3. A BDD-based procedure to generate S. 



logic functions / and g are equivalent iff / and g are represented by the same 
ROBDD. Bryant PQ showed how ROBDDs can be efficiently manipulated. In 
the following we use “BDD” to mean “ROBDD” . 



Pastor et al. 



-m - 



\ use BDDs for the generation and storage of the reach- 
ability set of a safe Petri net. In the authors partition V into K — \V\ 
subsets, with each subset containing a single place. In this case, each place can 
contain at most one token, so the simple encoding of a single BDD variable per 
place is used. A BDD is used to encode xs, the characteristic function of S, 
defined by X 5 (m|p|, . . . , mi) = 1 iff m G 5. Hence, we can talk equivalently of 
boolean functions or sets. The main result of is that, given a set of markings 
A, we can compute the BDD for the set A(A) of markings reachable from them 
in one firing, where the operator A is itself encoded as a BDD and can be built 
based on the Petri net definition. Fig. H illustrates the idea (we show a simpli- 
fied version of the algorithm in Of course, the sets O, S, and A(5) are all 
encoded as BDDs. More sophisticated partitions and encodings are discussed in 
where invariants are used to reduce the number of boolean variables. 

A fundamental property ensuring an efficient approach is that the number of 
iterations performed by BDDexplore is bounded by the sequential depth of the 
Petri net, that is, the maximum number of firings required to reach any marking 
starting from (a quantity no larger than the diameter of the reachability 
graph). Thus, while each iteration usually implies a substantial computation, 
the number of iterations is usually quite small. 

When the Petri net is not safe, the authors suggest two obvious ways to 
encode the number of tokens of place pi using booleans. If place pi is k- 
bounded, we can use a one-hot encoding with k variables bj, b^, at most one 
of which will be nonzero in any marking (they are all zero iff pi is empty), or a 
binary encoding with [log 2 (fc-|- 1)] variables. The former results in more boolean 
variables overall, but also in a simpler encoding of the A function. 



2.3 Multi-valued Decision Diagrams 



BDDs have been generalized to integer functions on integer (instead of binary) 
variables, resulting in MDDs Q 



(see also the “shared trees” in ^Q) . MDDs 



can then represent functions of the form 



5i X ^2 X • • • X ^ {0, . . . , m — 1}, 
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Fig. 4. MDD representing min{a, &, c) 



1. if F is a constant r then return G*^; 

2. if G“ = G^ = • • • = G"*-^ then return G“; 

3. if G° = 0 A • ■ • A = m - 1 then return F; 

4. if cache contains entry for (F, G°, . . . , G^~^) then 

5. return cache entry result; 

6. let Xfe be the top variable of F, G°, . . . , G"*“^; 

7. for i <— 0 to — 1 do 

8. W ^ Gase(F.,=,,GS,=„...,G™-i); 

9. if H° =H^ = ■■■ = then 

10. R ^ H°- 

11. else 

12. R ^ UniqueTableInsert{xk, , ■ ■ ■ , 

13. add [(F, G°, . . . , G™“^), R] to cache; 

14. return F; 



Fig. 5. Algorithm for the Case operator 



where Si = {0, . . . , Ni — 1}. Non-terminal MDD nodes labeled with variable Xi 
have exactly Ni outgoing arcs, labeled 0 through Ni — 1; if / is the function 
represented by the node, we write it as (xi, /x;= 0 i • ■ • i fxi=Ni-i)- Terminal MDD 
nodes are labeled from the set {0, . . . , m — 1}. The definitions for ordered and 
reduced MDDs are similar to those for BDDs. As with ROBDDs, given a total 
ordering on the variables, reduced ordered MDDs (ROMDDs) are a canonical 
representation. We use “MDD” to mean “ROMDD” . 

An example is depicted in Fig.J The MDD shown represents the function 
min{a, b, c), where a, b, c can take on the values {0, 1, 2}. The MDD is reduced: 
no two nodes are equivalent and no node exists with all output arcs equal. 

We can manipulate MDDs by using the Case operator, defined in by 
Case{F, G°, . . . , = G® if F = z, where the range of F is {0, . . . , m — 1}. 

A recursive algorithm for computing the Case operator based on the relation 

Case{F, G°, . . . , G^-^),=i = Case{F,=i, G^i, • • • , 
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is given in Fig.^ Given reduced MDDs, the algorithm returns a reduced MDD. 
The reductions are performed in line^J which ensures that a node with equal 
arcs is not created, and in line ^3 which ensures that two equivalent nodes 
are not created. Equivalent nodes are detected via a uniqueness table, usually 
implemented as a hash table. Before a new node is created, the uniqueness table 
is checked for an equivalent existing node. Another data structure used by an 
implementation of MDDs is a cache of operations. This prevents duplication 
of work, as a second call to Case with the same parameters will use the result 
saved in the cache. Both the node uniqueness table and the cache are well-known 
techniques that apply equally well to MDDs and BDDs 

Like BDDs, MDDs can be used to represent a set S of integer tuples by stor- 
ing the characteristic function xs of the set. Sets can then be manipulated using 
MDD operations on their characteristic functions. For instance, the union of two 
sets is computed by xavjB = Union{xA^ Xb) = Case{xA^ XB, 1) and the intersec- 
tion of two sets is computed by XAnB = Intersect{xA^ Xb) = Case{xAi Oj Xb)- In 
the remainder of the paper, we use the operators Union and Intersect for clar- 
ity, with the understanding that they are implemented using the Case operator. 
Also, we will sometimes write S instead of xs, with the understanding that S is 
always represented by its characteristic function xs ■ 

3 Our Technique 

As in any structured approach, we assume that the partition of V into K sets 
Vkt-'-t'Pi has been performed according to some criterion. In our case, we 
require a “product-form” decomposition Q, that is: 

1. There exist K functions Enahledk ■ T x ^ {0, 1} such that 

ytGT, Enabled {t,m) AA Enabled k { t, m. k) U ■■■ A Enabled i{t,m.i). 

2. There exist K functions Newk ■ T x such that 

yt gT, n = New{t, m) uk = NewK{t, rax) A • • • A rii = Newi{t, mi). 

Such a partition can be found automatically, from a simple inspection of the 
marking-dependent expressions for /, O, H, and g. Assuming that each g(t^ •) is 
expressed as a conjunction of terms, g{t, •) = fi{t, ■)A---Afrt {t, •), and letting Q 
be the union of these terms, over all transitions, algorithm Partition can be used 
for this purpose (Fig.^. In particular, if I, O, and H are not marking-dependent 
and g is identically equal 1, the previous two criteria are satisfied by the finest 
partition, where K = \V\, i.e., each place is in a class by itself. Of course, any 
coarsening of a product-form partition is itself a product-form partition, so it 
could be used as well. We illustrate the effect of this choice in Sect.^ but finding 
a “good” partition is still an open problem. 

A concept of locality for both the enabling condition and the effect of firing, 
more refined than the one we introduced in is expressed by making use of 
the functions just introduced. A transition t is local to exactly {Vk ^ , . ■ . , Vk^} if 

Vfc ^ {fci, . . . , kn}, Vmfc e Sk, Enabledk{t, mfc) = 1 A Newk{t, mfc) = mj, 
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Partition(V , T, I, O, H, g) 

1. TZ = {{pi}, {P 2 }, • • • , {p\v\}}': • finest possible partition 

2. for each p € P do 

3. find Vi £TZ such that p £ Vi, 

4. for each arc with marking dependent cardinality / connected to p and 

each guard expression f £ Q containing p do 

5. for each p' £V\Vi appearing in the expression for / do 

6. find Vj £ TZ such that p' £ Vj', 

7. TZ ^ TZ\{Vi,Vj}yj{ViyjVj}\ • merge Pi and Pj 

8. return TZ\ 



Fig. 6. Algorithm to find the finest product-form partition TZ = {V \^ . . ■:'Pk} 
oiV. 



(i.e., if fc ^ {fci, . . . , kn], the marking of Sk does not affect the enabling, nor is 
it affected by the firing, of t). 

We are now ready to discuss state space generation using MDDs. Since V has 
been partitioned into K sets, we use a AT-variable MDD to store S. As discussed 
in Sect-H a submarking mfc £ Sk C can be indexed by a (small) integer 

rrik € {0, 1, . . . , |5fc| — 1}. In the following, and in our implementation, we use this 
encoding for both simplicity and efficiency. Henceforth, we write Enabledk{t, mk) 
and Tifc = Newk{t,iTik) instead of Enabled k{t,m.k) and rifc = Newk{t,m.k), to 
stress that we are operating on (local) indices, but we will keep talking about 
(sub)markings, with the understanding that only indices are really stored in our 
MDDs. 

To generate the reachability set S, we must manipulate the MDD represen- 
tation of S to simulate the firing of transitions. We first show how to do this for 
local transitions (local to exactly one Vk), and then for synchronizing transitions 
(local to more than one set of places) . 

3.1 Local Transition Firing 

A transition t local to exactly one set of places Vk has the special property 
that t only affects places in Vk- More formally, this says that Enabled {t,m) = 
Enabled k{t,mk) and Aew(t, m) = [m/f , . . . , mfc+i, fVewfc(t, mfc), . . . , mi]. 

This implies that, for any reachable marking [a, mfc, P] and any local transition 
t such that Enabledk{t, mk)-, marking [a, Newk{t, rrik), P] is also reachable. Thus, 
the markings [a, Newk{t, rrik), P] must be added to S, through the arc update 

fxk=Newk(t,mk) ^ Union{fx,.=mk,fxk=Newk{t,mk))j (1) 

for each MDD node / in xs labeled with variable Xk- After performing this 
operation, for any reachable marking [a, mk, P], the marking [a, Newk{t, mk), P] 
is now reachable. To see this, consider the path in \S for [a,mk,P] ending at 
terminal node 1. If the path contains a node labeled with Xk, then the update 
ensures that there is also a path for [a, Newk(t,mk), P] ending at 1, found by 
following the downward arc Newk{t,mk) instead of mk at node Xk- Otherwise, 
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DoLocals{S) 

1. if 5 = 0 return 0; 

2. if 5 = 1 return 1; 

3. if cache contains the entry for 5 then 

4. return cache entry result; 

5. let Xk be the top variable of <S; 

6. Changed <— 0; 

7. for i <— 0 to iVfc — 1 do 

8. T~C ^ DoLocals{Sx^=i)’, 

9. if yf 0 then Changed <— Changed VJ {i}’, 

10. while Changed yf 0 do 

11. remove some element i from Changed) 

12. for each transition t local to Vk do 

13. Enabledk(t,i) then 

14. j <— Newk{t,i)) 

15. T <— Union{hC ^W)) • Application of Eq.^ 

16. \h T ^ W then 

17. Changed <— ChangedVJ {j}) 

18. W ^ T) 

19. if 77° = 77 ^ = • • • = then 

20. 7^ ^ 77°; 

21. else 

22. 77. <— UniqueTablelnsert^XkjTi.^ , ■ ■ ■ ,'H^~^)) 

23. add [5,77] to cache; 

24. return 77; 



Fig. 7. Algorithm for firing local transitions 



the path does not contain a node labeled with Xk, and thus does not depend on 
variable Xk', in this case, the path for [a, Xk, /?] ends at 1 for any value of Xk- 

The operation performed by Eq. Jadds to S all the markings reached by 
firing a single local transition t when the submarking for Sk is ruk ■ To completely 
simulate the firing of transition t, we perform this operation for all submarkings 
ruk such that Enabled k{t,mk)- This can be done “in parallel”: each MDD node 
in xs labeled with variable Xk is visited once, and Eq.Jis applied to multiple 
submarkings m^. In fact, we can perform Eq. Jfor all transitions local to Vk in 
one operation. 

This idea is the basis for our local transition manipulation algorithm, shown 
in Fig. Q Given a set of markings 5, DoLocals returns the set of markings 
that can be reached by a marking in S firing any sequence of local transitions 
(including none). The algorithm visits each MDD node in xs and, based on the 
variable label Xk of the node, fires transitions local to Vk using Eq.^ Arcs that 
change are added to the set Changed, and are explored again. 

3.2 Synchronizing Transition Firing 

A transition t local to more than one Sk requires to check more than one set 
of places to determine its enabling and the markings reached when it fires. 
If t is local to Vki, ■ ■ ■ ,Vk„, then Enabled{t,m.) = Enabled k,^{t,mk,) A ••• A 
Enabledk^(t, rnk„)- We cannot simulate the firing of a synchronizing transition t 
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by examining MDD nodes in isolation as we did with local transitions. Instead, 
to add the markings reached when t fires, we must perform three distinct opera- 
tions: determine the set of markings that enable t, determine the new markings 
reached after t fires, and add the new markings to the set of reachable markings. 

Given t, we compute the set of potential markings enabling t, as 

X£(t){xK, ■ ■ ■ , 2;i) = Enabled,K{t, xk) A • • • A Enabledi{t, a;i). 

Assuming the sets Sk can be generated a priori, the sets £{t) can also be com- 
puted once a priori and used throughout the entire state space generation pro- 
cess. Otherwise, £{t) must be recomputed whenever a new marking is added to 
Sk- Either way, once we have obtained £{t), we can compute the set of markings 
in S that enable t as Inter sect{S,£{t)). 

Then, we simulate the firing of t by updating the submarkings affected by 
t. For each marking [itik, ■ • ■ , wi] that enables t, the marking . . . , m^] is 
reached after t fires, where m'j, = Newk{t, rrik) if t is local to Vk, m'l. = rrik other- 
wise. This set of markings is computed using the Fire operator, whose algorithm 
is shown in Fig.J Given a set of markings that enable t, Fire returns the set of 
markings reached after t fires by copying the downward arc of ruk from the input 
set to Newk{t,mk) in the output set (line^J. Recall that Newk{t,mk) = rrik 
for all rrik if t is not local to Vk] thus. Fire performs a simple copy in this case. 
The Union operator in line^Jis required because, with marking-dependent arc 
cardinalities, the firing of t in multiple submarkings i might lead to the same 
submarking j. Note that the Fire operator requires us to specify the parameter 
Xk, which represents the “current variable”, because it may change “don’t care” 
variables. This can occur if every submarking enables t but not every submark- 
ing is reached by firing t. Finally, Fire returns S unchanged if the top variable 
Xk is past Last{t) = min{fc : t is local to Vk}, the last submarking affected by t. 



3.3 Our Generation Algorithm 

The generation algorithm is shown in Fig.^ It consists of two phases per it- 
eration. The first phase, represented by lineH finds all submarkings that can 
be reached from the current S by firing only sequences of local transitions. The 
second phase, represented by lines ^ffiroughH handles the synchronizing tran- 
sitions. 

Thus, the number of iterations required by MDDexplore is bounded by one 
(to recognize that S has not changed) plus the synchronizing depth of the net 
(as opposed to the sequential depth of defined as maxniG5{'^(™)}j where 



d(m) = min{nGiV : 3 {t\, . . . ,t\,y'^ ,t\, . ..,tf^,y '^, . . . ..,t^+^\)€T* 

with > 0, tj local transitions and synchronizing transitions, 
whose firing leads from to m}. 



The actual number of iterations can be smaller, depending on the order 
in which synchronizing transitions are processed: transition y'^ in the sequence 
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Fire{xk,S,t) 




1. 


if 5 = 0 return 0; 




2. 


if A: < Lastit) return <S; 


• k < Lastit) then t does not affect S 


3. 


if cache contains entry for {xh,S,t) then 


4. 


return cache entry result; 




5. 


let xy be the top variable of 5; 




6. 


while (f not local to Vk) and {k > k') 


do 


7. 


k <— fc — 1; 




8. 


for i <— 0 to Nk — 1 do 




9. 


W 0 




10. 


for i <— 0 to Nk — 1 do 




11. 


j ^ Newk{t,i)-, 




12. 


W ^ Union{W , Fire{xk-i,Sx^ 


=At)); 


13. 


if 77° =7^1 = ... =77^'=“^ then 




14. 


T 

c 




15. 


else 




16. 


TZ ^ UniqueTableInsert{xk,'H° , 




17. 


add [{xk,S,t),TZ] to cache; 




18. 


return TZ] 





Fig. 8. Algorithm for firing synchronizing transitions 



MDDexplore{m ^°^ ) 

1. 5 ^ {xk = A • • • A {x\ = • Set S to the initial marking 

2. repeat forever 

3. S ^ DoLocals{S)', 

4. O ^ 5; • Save old set of reachable states 

5. for each synchronizing transition t do 

6. £ ^ Intersect{S,£(t))\ • is the set of markings that enable t 

7. T ^ Fire(xK,£,t)’, • JF is the set of markings reached after t fires 

8. S ^ Union{S,J-)\ • Add JF to <S 

9. if C> = 5 return 5; 



Fig. 9. Algorithm to compute S 



{y ^ , y^) leading from to m is considered during the first iteration if is pro- 
cessed before y^, during the second iteration otherwise already recognized 
the importance of a good “chaining” order). 



3.4 Logical Queries on the State Space 

Once S has been generated, it can be used to answer various classes of logical 
queries, by performing MDD operations. For instance, suppose we want to com- 
pute the set of reachable markings satisfying some boolean condition q. To do 
this, we first build the set Q of potential markings in Sk x ■ ■ ■ x Si that satisfy 
q, and then compute 5n Q. First, let us consider a simple query whose condition 
is enforced at a single level k. Given a condition fk ■ Sk — > {0,1}, we compute 
the set of submarkings Q that satisfy fk- 



Xq{xk, ■■■,Xi) = fk{xk). 
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Complex queries are answered by combining simple queries. An important 
example is asking for the set of reachable (absorbing, or dead) markings that do 
not enable any transition. First, we compute Q{t), the set of potential markings 
that do not enable t by 

XQ(t){xK, • ■ ■ , x\) = {Enabled K{t, xk) = 0) V • • • V {Enabled\{t, x\) = 0) 

for all transitions t. Next, we compute the set of potential markings that do not 
enable any transition, 2 = rivtGT2(^)- Finally, S n Q gives us the reachable 
absorbing markings. 

Another important class of queries deals with the possibility of a condition 
b occurring after a condition a has occurred. To answer this question we build 
the subsets Qa and Qt of Sk x • • • x satisfying a or b, respectively. Then, 
we run MDDexplore except that, in linej S is initialized to the set S H Qa of 
reachable markings satisfying a, instead of the initial marking. The intersection 
of the resulting S with Qi, gives exactly the set of markings satisfying b that 
can be reached from some reachable marking satisfying a. In the worst case, this 
approach requires as many iterations as for the original generation of S. 

4 Implementation Issues 

One way to implement a MDD data structure is to map each MDD node onto 
a BDD structure using some encoding. With this approach, MDD operators 
are translated into equivalent operations on the underlying BDD. Indeed, both 
Kam’s PhD thesis ^3 and the timing results in ^3 seem to suggest that this 
achieves high(er) efficiency. Instead, we choose to implement MDDs directly, 
where each MDD node contains some node information (the variable index, the 
number of downward pointers, etc.) and an array of downward pointers. As the 
next section shows experimentally, our approach can be vastly superior (at least 
for the examples we used). In the the first two applications, assigning one (safe) 
place per level effectively reduces our implementation to the BDD case, and 
doing so results in much higher execution times (even if locality is exploited in 
either case) and memory consumption. 

To conserve memory in our implementation, MDD nodes store node indices 
instead of full pointers. In particular, MDD nodes labeled with variable xi can 
only have downward pointers to terminal nodes 0 and 1; thus, an array of bits 
is used. More sophisticated MDD node storage schemes would be possible, in- 
cluding sparse array storage and other forms of compression. This is because we 
do not directly modify MDD nodes: we use temporary full integer arrays during 
MDD node construction (e.g., for storing , . . . , in algorithm Case), 

which are copied into appropriately-sized structures for long-term storage. In 
our experience, this compression introduces a 10%-20% CPU overhead, but it 
typically reduces memory usage by a factor of 4. 

In our studies, we have assumed that the local reachability sets Sk (or super- 
sets of them) are computable in isolation, i.e., before the generation of the over- 
all reachability set S. This is a common assumption with structured approaches 
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(e-g-, and certainly with safe nets, for which Sk Q {0, by defini- 

tion. This restriction can be lifted by dynamically generating local reachability 
sets Sk during generation of S. This requires a more complex implementation 
of Enabledk and Newk, where the first time Newk{t,nik) is called on nifc, we 
compute the reached submarking rifc and add it to Sk , if necessary. 

We conclude this section with an observation. At each iteration, algorithm 
MDDexplore considers the firing of sequences of local transitions before examin- 
ing the synchronizing transition. This is in contrast to the algorithm proposed in 
which does not exploit the concept of locality, and is one of the reasons for 
our greater efficiency. As exploring the firing for local transitions is considerably 
less expensive than for the synchronizing transitions, we achieve two goals: we 
reduce the number of iterations required by MDDexplore (compare the sequen- 
tial depth of 13 with our synchronizing depth) and we add more markings to 
S every time we explore the firing of a synchronizing transition (since we fire it 
from a set S already augmented by the local firings) . 

5 Results 

We now apply our approach to various models taken from the literature. We ex- 
amine first the dining philosophers and the slotted ring models presented in ^3 ■ 
These are safe Petri nets composed of several identical subnets: the state space 
size is increased by adding subnets. Then, we consider the flexible manufactur- 
ing and Kanban systems presented in These models have a fixed number of 
places and transitions: the state space size increases with the initial marking. 

We implemented our approach in the tool SMART Q. Our results are ob- 
tained on a 400 MHz Pentium II workstation under the Linux operating system. 
No run made use of virtual memory. For each experiment, Tablejreports: 

— The size of the state space S. 

— The final and peak number of MDD nodes (our data structure grows and 
contracts during the execution of MDDexplore). 

— The final and peak memory consumption, in bytes (peak memory is an in- 
dicator of the amount of RAM required to avoid relying on virtual memory, 
while final memory is of interest in case S is saved for further use) . 

— The number of iterations performed by MDDexplore. 

— The overall CPU times, in seconds. 

We also explore the effect of different partitioning of the model into levels, in 
Fig. ^3 Occasional “bumps” in the plots are artifacts of the compression used 
in our implementation. 

5.1 Dining Philosophers 

The dining philosopher model is composed of N subnets. The Petri net for the 
z**' philosopher is shown in Fig. ^3^)- The net represents a philosopher and the 
philosopher’s right fork. The philosopher’s left fork, represented by the dotted 
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Fig. 10. The four models used in our experiments. 



place Forfc(i+i) mod n , is part of the subnet for the next philosopher; it is depicted 
to illustrate how the subnets interact. 

A natural partitioning scheme is to assign each philosopher to a separate 
level. We also investigate grouping two or three adjacent philosophers together 
in the same level. Table H shows the results for two philosophers per level. We 
find that grouping more than two philosophers in each level results in worse 
memory usage and CPU times (Fig.^J). However, there is an interesting tradeoff 
between having one or two philosophers per level: the former choice results in 
higher execution times, but lower memory requirements. The grouping where 
each place is in a different level corresponds to the HDD approach in and 
it is vastly less efficient. 

“True” MDDs with locality are extremely efficient for this example, both 
in terms of memory usage and generation time. There are two main reasons 
for this. First, our approach requires only two iterations, no matter how many 
philosopher subnets are present. The synchronizing depth of the model grows 
as N, since the synchronizing transitions are GetLeft^, GetRight^, and Releasei^ 
and the farthest markings are those where N forks are taken, as left or right 
forks. However, any such marking m can be reached from through N\ 
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different firing sequences (if we ignore the position of local transition GoEati in 
the sequence), and there is always one sequence that respects the order in which 
the synchronizing transitions are considered in MDDexplore . In other words, the 
entire reachability set has been discovered by the second execution of statement 
Qin MDDexplore. In contrast, the number of iterations reported for the BDD 
approach grows as 2 N + 1 

Second, the MDD contains exactly four distinct nodes at each level (except 
for the top level, which always has one), no matter how many philosophers 
we add or how many (adjacent) philosophers we group into each level. This is 
because a philosopher will either hold both forks, only the left fork, only the right 
fork, or no fork at all. This is still the case for a level containing several adjacent 
philosophers, where the left and right forks are the boundary forks between levels. 
Hence, the final number of MDD nodes in TableHis 4(iV/2 — 1) + 1 = 2 N — 3. 
It is interesting to note that the peak number of nodes is also linear, 6iV — 15. 

5.2 Slotted Ring Network 

The Petri net for a single node of a slotted ring network protocol is shown in 
Fig.^Jb). The overall model is composed of N such subnets connected by shar- 
ing transitions (FVee(i+i) mod at and t/sed(i+i) mod at)- Table^shows the results 
for a decomposition where each node is in a different level. The effect of other 
choices, one place per level (essentially a BDD) and two nodes per level, is as for 
the previous model (Fig.^J. The number of iterations required by MDDexplore 
is N /2 -b 2, while that for the BDD approach in grows quadratically. 

5.3 Flexible Manufacturing System 

The FMS model shown in Fig.^Jc) ^ is parameterized by the initial number N 
of tokens in Pi, P2, and P3. We compare three different partitioning schemes in 
Fig.^J The model is partitioned into 4, 6, or 19 levels. In the first case, the parti- 
tion is {Pi,PiwMi,PiMi,Mi,Pid,PiS,PiwP2}, {Pl2,Hi2wM3,Pi2M3,M3,Pi2s}, 
{P2,P2wM2,P2M2,M2,P2d,P2S,P2wPi}, and {P3,P2M2,P3 s}. In the second case, 
it is {Pl 2 ,Pl 2 WM 3 ,Pi 2 M 3 ,M 3 ,Pi 2 s}, {Pi,PiwMi,PiMi,Mi} , {Pid,PiS,PiwP2}, 
{P2,P2 wM2,P2M2,M2}, {P2<i,P2S,P2wPi},and {P3,P2M2,P3 s}. Finally, the par- 
tition with 19 levels is obtained by assigning each place to a different level, with 
the exception of the complementary places Mi, M2, and M3, placed in the same 
level as the places P\Mi, P2M2, and P12M3, respectively. 

In this model, the effect of the partition choice is extremely noticeable in 
terms of both memory and execution times, and the finest partition is by far the 
best. Table ^reports the detailed results for the 19-level partition. In this case, 
MDDexplore requires N + b iterations {N + 1 and N + 2 are instead required 
with the 4-level and 6-level partitions, respectively). 

5.4 Kanban System 

Fig. ^Jd) shows the Petri net of a Kanban system Q. This model is parame- 
terized by the number of tokens N initially in pi, p2, P3, and p4. Also for this 
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Table 1. Results for our models. 



model we compare different partitioning schemes, in Fig.^J corresponding to 
either 4 or 16 levels. The former case is as indicated by the subscripts 1, 2, 3, 
and 4 in Fig.^Jd), while the latter case assigns one place to each level. In this 
case, unlike the FMS, the finer partition is much worse than the coarser one. 
Table H shows the results for the 4-level partition. In this case, MDDexplore 
requires 2N -h I iterations, while the 16-level partition requires 5 iterations for 
iV = 1 and 3N + 1 iterations for iV > 1. 
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Fig. 11. Effect of different partitions on our models {N on the horizontal axis) . 
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6 Conclusion 

We presented a new technique for the generation and storage of the reachability 
set of a Petri net, closely related to recently proposed BDD-based approaches. 
However, our use of multi-valued (not boolean) sets and the exploitation of 
locality to reduce both the number of iterations and the cost of each iteration in 
the generation procedure result in the ability to tackle much larger reachability 
sets than previously possible. 

The application of our results goes beyond that of Petri net analysis, as 
it widens the size of the discrete-state systems for which an exhaustive logical 
verification might be reasonably attempted. 

Much work remains to be done, however. We have demonstrated how the 
choice for the partition of the Petri net places (i.e., the decomposition of the 
discrete-state model), the order in which the levels are considered, and the order 
in which the synchronizing transitions are processed can have a substantial effect 
on the memory and time requirements of the approach. The existence of an effi- 
cient algorithm that can derive an optimal strategy for these choices is unlikely, 
but we shall seek heuristics that work well on models of practical interest. 
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Abstract. Symbolic techniques based on BDDs (Binary Decision Di- 
agrams) have emerged as an efficient strategy for the analysis of Petri 
nets. The existing techniques for the symbolic encoding of each marking 
use a fixed set of variables per place, leading to encoding schemes with 
very low density. This drawback has been previously mitigated by using 
Zero-Suppressed BDDs, that provide a typical reduction of BDD sizes 
by a factor of two. 

Structural Petri net theory provides P-invariants that help to derive more 
efficient encoding schemes for the BDD representations of markings. 
P-invariants also provide a mechanism to identify conservative upper 
bounds for the reachable markings. The unreachable markings deter- 
mined by the upper bound can be used to alleviate both the calculation 
of the exact reachability set and the scrutiny of properties. Such approach 
allows to drastically decrease the number of variables for marking encod- 
ing and reduce memory and CPU requirements significantly. 



1 Introduction 

Petri nets (PNs) are a graph-based mathematical formalism that allows to de- 
scribe systems modeling causality, concurrency and conflict relations among its 
events In particular, PNs play an important role in the synthesis and 

verification of concurrent systems. PNs are applied, for example, to the syn- 
thesis and verification of digital asynchronous circuits, to model heterogeneous 
systems in hardware/software codesign frameworks, and to verify concurrent 
systems 0^9- 

Symbolic analysis of PNs suffer from the state explosion problem ^3^3- 
The number of reachable markings grows exponentially with the size of the 
PN description. Temporal logic analysis, hazard verification or circuit synthesis, 
need to express conditions in terms of sets of markings or sequences of events. 

S. Donatelli, J. Kleijn (Eds.): ICATPN’99, LNCS 1639, pp. 26-^^ 1999. 

(c) Springer-Verlag Berlin Heidelberg 1999 
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Therefore, the size of the representation of the overall state space is critical and 
limits the efficiency of formal methods on large practical examples. The major 
goal of the ongoing research on symbolic analysis of PNs is to increase the size 
of the systems that can be analyzed. 

Along the last decades PNs have been deeply investigated with a large num- 
ber of theoretical results available in the literature. Specially, structural theory 
connects the dynamic behavior of PNs with its underlying structure 
Until recently none of these well-known results has been used in order to alleviate 
the BDD-based symbolic analysis of PNs. 

This work discusses several techniques for the symbolic analysis of PNs. We 
will show how structural and symbolic techniques can be efficiently combined in 
the same framework. Sets of P-invariants that will be retrieved from the PN can 
be applied to ease the symbolic analysis. Previous analysis techniques already 
make use of binary vector representations of markings and P-invariants to 
reduce the number of bits in the vector representations However, they did not 
exploit the fact that the combination of P-invariants and HDDs already provide 
information about the reachable markings in the PN. 

The proposed algorithms can be classified in two groups according to their 
application to the computation and representation of the reachability set. 

— The first set improves the symbolic BDD representation of the reachability 
set, reducing the number of required Boolean variables and BDD nodes. 
Encoding algorithms will be proposed both for the subclass of safe PNs and 
for general bounded PNs. 

— The second set provides enlarged approximations of the reachability set that 
can be efficiently computed. This approximations can be applied to con- 
servative verification techniques or to provide approximations of the sets of 
unreachable markings to further reduce the BDD representations. 

The outline of the paper is the following. In Section ^ we introduce some 
basic notions on PNs and Boolean functions. Section J describes by means of 
an example how symbolic BDD techniques currently encode PNs and demon- 
strates the existence of room for further improvement. An algorithm to encode 
safe PNs is presented in Section J The algorithm is based on sets of one-token 
SM-Components, assigning to each place in an SM-Component a unique Boolean 
function. Section H extends the encoding methodology to any bounded PN by 
using general P-invariants. Each potential token configuration in a P-invariant 
is assigned a unique Boolean function. Additionally, P-invariants allow to deter- 
mine a set of Potentially Reachable Markings. In Section^we show that com- 
puting a conservative set of unreachable markings may help to further improve 
the analysis of PNs. Finally, Section H presents experiments that demonstrate 
the efficiency of the proposed encoding techniques. Sectionjconcludes the paper 
and introduces some future research directions. 
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2 Basic Notations 

2.1 Petri Nets 

A Petri net (PN) is a four-tuple N = {V,T,W, Mq), where V and T 

are sets of places and transitions respectively. W : (P x T) U (T x V) — > IN 
defines the weighted flow relation. If W(u, u) > 0 then there is an arc from u to 
V with weight W{u,v). The function M : P — > IN is called a marking- that is, 
an assignment of a nonnegative integer to each place. If k is assigned to place p 
in a marking M, we will say that p is marked with k tokens (M (p) = k) . Mq is 
the initial marking of the PN. 

PNs are graphically represented by drawing places as circles, transitions as 
boxes (or sometimes bars), the flow relation as directed arcs, and tokens as 
dots circumscribed into the places. Fig.^a) depicts a PN with initial marking 
Mq = {Mq{pi) = 2 , Mq{p2) = 0 , Mq{p3) = 1 , Mo{pi) = 0 }. 




Fig. 1. (a) A bounded PN and (b) its reachability graph. 

The set of markings that can be reached from the initial marking Mq by 
repeatedly firing the transitions of the net is called the reachability set (denoted 
RS). Fig.Jb) shows the reachable markings corresponding to the PN example 
in Fig.Ja). 

A place p G V is called k-bounded {k G IN) iff at any reachable marking 
it does not contain more than k tokens. A PN is bounded iff every place is k- 
bounded for some value k. A PN is safe if all places are 1-bounded. Fig.Jdepicts 
a safe PN describing two competing philosophers. 

PNs can be symbolically manipulated by means of BDDs Each 

place in the PN is considered as an integer variable, being represented by a 
number of Boolean variables. The RS can be obtained by computing the least 
fix point of the following recurrence 

So = Mq 

Si+i = Si U Image {PN, St) 
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Fig. 2. PN for two dining philosophers (two instances of pi are depicted for 
clarity) . 



where Image is a function that returns the markings reachable from Si in one 
step. In the PN example of Fig-Ha), Image(PfV, [2010]) = {[3002], [0120]}. 

From now on, we will assume that the reader to be familiar with both BDDs 
and Algebraic Decision Diagrams (ADDs) QQQ. 

2.2 Place-Invariants and State Machines Components 

The structure of a PN can be represented by its incidence matrix ^3^3’ ^ 
V xT integer matrix given by C{pi,tj) = W{tj,pi) — yV{pi,tj). The incidence 
matrix of the PN depicted in Fig.Ja) is the following: 

/-2 1 1 \ 

1-10 

^ 10-1 
\ 0-2 2 / 

The places of a PN have an associated token conservation equation usually 
written in the matrix form M = Mq + C ■ cr, where cr is called the Parikh vector 
of a sequence of transitions a. 

Every solution X G of the equation -C = 0 is said to be a P-invariant 
Q. A P-invariant I is called semi-positive if / > 0 and / yf 0. The support of 
a semi-positive P-invariant /, denoted by (/), is the set of places p satisfying 
I{p) > 0. A semi-positive P-invariant I is minimal if no other semi-positive P- 
invariant J satisfies (J) C (/). In the sequel, for sake of simplicity we will refer 
to P-invariants as invariants. 
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Fig. 3. SM decompositions for the dining philosophers example. 



Given an invariant I, any reachable marking M must agree with the initial 
marking Mq; that is, / • Mq = / • M. Therefore, invariants can be used to prove 
that a marking M is not reachable if M and Mq do not agree on an invariant. 

The PN Ni generated by a subset of places is said to be a State Machine 
Component (SM) of N if Ni is a strongly connected State Machine. A key result 
for the contribution of this work is the following Let Ni = {Pi, 7), Wi, Moi) 
be a SM-Component of a Petri Net N . Then Ni is a minimal semi-positive P- 
invariant of N. 

The Smith Normal Form provides an efficient method to derive invariants 
for bounded PNs. This technique has been introduced by Desel et al. B and 
generates a basis of all possible invariants (not necessarily minimal or semi- 
positive). A basis of invariants for the PN in Pig.H^) i®' 

Ii : 2pi -I- 4p2 - P4 = 4 

h - Pi + P2+P3 = ^ ■ ^ 

For safe PNs we can compute SM-Components by posing a set of linear 
equations A minimal one-token semi-positive invariant Ip, including a 

place Pi, can be computed by solving the linear system of equations: 

min 

s.t. Ip -0 = 0 

J2plp(p) ■ Mo{p) = 1 

Ip{pi) > 1 

Figure H shows six SM-Components generated from the PN of Fig.^ For 
example, SMI has been generated from the invariant pi P 2 + Pe + Ps = 1 and 
SMS from P5 + P7 + Ps + Pi 2 + Pu = 1- 



2.3 Logic Functions 

Now we briefly sketch some basic theory on Boolean algebras. Most of the con- 
cepts presented here have been extracted from Q. 



Structural Methods to Improve the Symbolic Analysis of Petri Nets 



31 




000110 

0000 



010101 - 

0010 



(a) 



100100 
0100 



-001001 

0100 



p11 p12 p21 p22 p31 p32 
p41 p42 p43 p44 



011000 

0110 





Fig. 4. Encoded reachability graph: (a) sparse and (b) optimal, for the PN in 

Fig-D 



A Boolean algebra is a quintuple (B,+,-,0,l) where B is a set called the 
carrier, + and • are binary operations on B, and 0 and 1 are elements of B. The 
system (B = {0, 1},+, -,0, 1) , with + and • defined as the logic OR and logic 
AND operations respectively, is a Boolean algebra. 

An n-variable logic function is a mapping / : B"" — s- B. Let be the set of 
n- variable logic functions on B. Then the system (1F„, + , •, 0, 1) is also a Boolean 
algebra. Let us also define Afn as the subset of n-variable logic functions such 
that one and only one combination of inputs evaluates to 1 (i.e. that only contain 
a minterm) . 



3 A Motivating Example 

The symbolic representation of the RS of a PN requires an encoding mecha- 
nism to map each marking in a unique binary code inside a Boolean algebra. 
Traditionally, the encoding has been created by assigning a number of Boolean 
variables to each place in the PN. The number of variables should be enough 
to represent the maximum number of tokens that can be located in each place. 
This encoding technique is known as an sparse encoding scheme 

Sparse encoding schemes are extremely inefficient for PNs because they as- 
sume that all possible combinations of tokens inside places are possible. However, 
in most cases, places are causally related or in conflict and therefore not all com- 
binations of tokens exist. 

In order to compare the efficiency of different encoding schemes we introduce 
an encoding density function D. Given a PN, Dpjq is calculated as the optimum 
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number of variables required to encode the RS, divided by the actual number 
of variables that are used, i.e. 

^ riog2(|[Mo)|)] 

# of variables 

An encoding is optimal if T>pn = 1- This optimality implies that the Boolean 
space is fully used and no binary code is left unassigned. 

The bounded PN in Fig. Ba) has four different places that may contain a 
certain number of tokens. The maximum number of tokens that can be located in 
each place will determine how many variables are required for sparse encoding. 
A conservative upper bound for each place pi can be derived from a basis B of 
invariants, i.e. 

max M{pi) 

s.t. B*M = B*Mo 

For that example, after solving the Linear Programming Problem we obtain 
that the maximum number of tokens are max(pi) = max(p 2 ) = 3, max(p3) = 2 
and max(p 4 ) = 8. That implies that to encode places pi ,P 2 ,P 3 we need 2 variables 
for each of them (because their values are between 0 and 3); while place 
requires 4 variables (because its values are between 0 and 8). This sparse scheme 
leads to a Boolean algebra with 10 variables, representing up to 2^° different 
markings. However, it is known that the PN has only 7 reachable markings! (see 
Fig-Ha).) 

An optimal encoding should use a logarithmic number of variables with re- 
spect to the number of reachable markings ([log 2 |[Mo)|]). In the previous ex- 
ample, [^032 7] = 3 is the optimal number of variables (see Fig.Hb)). 

Deriving optimal encoding schemes is not a viable strategy because it requires 
knowing the existing markings a priori, which is in fact the problem that was 
originally posed. Hence, the goal of this work is to propose alternative dense 
encoding schemes for PNs, that lay in between the conventional sparse encoding 
and the optimal schemes. The proposed methodology should reduce the number 
of variables, while maintaining a reasonable computation effort. 

It is well known that the number of BDD variables does not always have 
a direct impact on the number of BDD nodes required to represent a set of 
markings. For a fixed set and number of variables, the number of BDD nodes 
may vary from polynomial to exponential depending on the variable ordering 
in the BDD. However, experiments show that a reduction in the number of 
variables combined with an accurate assignment of binary codes to markings 
provide significant improvements both in the number of BDD nodes and their 
computation times. 

Finding out relations among places that restrict their simultaneous mark- 
ing may help to reduce the number of Boolean variables required to encode the 
same RS Q. Relations among places not only provide an encoding mechanism, 
but additionally restrict the set of potentially reachable markings. Some mark- 
ings will be determined not to be in the RS even before starting any symbolic 
traversal. 
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In this work we will propose encoding schemes based on the information 
known a priori from the PN structure — its invariants. These invariants allow to 
discard sets of unreachable markings and find more efficient encodings for those 
that are still potentially reachable. The method proposed for the dense encoding 
of the reachable markings of a PNs is structured as: 

1. A basis of invariants of the PN is calculated. Algebraic and linear program- 
ming techniques will be used for ordinary PNs, while the SNF can be used 
for bounded PNs. 

2. The PN must be bounded and the upper bounds must be known, either 
derived from the invariants or provided by the user. 

3. A dense encoding is derived for the places covered by invariants. The rest of 
places are encoded by using the sparse scheme. Efficient encoding techniques 
are used for one-token SM-Components, while more elaborated mechanisms 
are required for general invariants. 

4. Assign binary codes to the places in each invariant, in such a way that BDD 
size is minimized. 

5. Given the selected encoding, calculate the transition relation of the PN and 
the RS by using symbolic traversal techniques. 

4 Encoding Safe Petri Nets 

This section proposes an encoding scheme that is based on the fact that safe 
PNs can be decomposed into one-token SM-Components. The places in each 
SM can be encoded separately using a logarithmic encoding technique. After 
combining the variables in each invariant, the result is a reduced number of 
Boolean variables compared to the conventional sparse techniques. 

To illustrate the proposed encoding scheme we use the PN in Fig.O This 
PN can be decomposed into six SMs that, in this particular case, cover all places 
(see Fig.H. The sparse encoding scheme requires 14 Boolean variables to encode 
each place, resulting into a density of T>pn = riog2(22)] /14 = 0.36. 

First, we show how an SM-Component can be encoded by using an opti- 
mal number of variables. Then we determine the set of invariants that allows to 
encode the PN while minimizing the total number of variables. Two methodolo- 
gies are proposed to select the set of invariants: a simple method that does not 
consider the interrelations between invariants, and a more elaborated that takes 
into account those interactions. 

4.1 Encoding a Single SM 

Let Vi C V he the subset of places covered by a one-token SM-Component A. 
Since one and only one place in Vt is marked at each marking, a logarithmic 
encoding can be found for those places. Thus, any injective encoding function 
■ 'Pi Adn {n = [log 2 \PiU) is appropriate. Each place must be assigned a 
unique minterm to uniquely identify the location of the token in R, i.e. 

ypj,Pk &Pi, j : £u{pj) ■ £u{Pk) = 0 . 



( 2 ) 
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4.2 Selecting SMs 

The number of variables required to encode a PN directly depends on the selected 
invariants. Since a place may be covered by different invariants, the density of 
the encoding may decrease if different sets of variables are used to encode the 
same place at different invariants. To achieve a dense encoding it is important 
to select a set of invariants that minimize the over-encoding of common places. 

Let SMC = {li} be a set of SMs that (totally or partially) cover the places 
of the PN. The problem of finding an optimal subset of SMC to encode the PN 
can be formulated as a Unate Covering Problem^^ as follows: 

1. Take SMC U 7^ as the set of covering objects and V as the set of covered 
objects. Each invariant U covers a subset of places Vi C V. Each place Pi &V 
covers itself. 

2. For each U e SMC, define cost(/i) = \log 2 {\Vi\)~\. 

3. For each pi gV, define cost(pi) = 1. 

4. Find a minimum cost cover of SMs and places. 

In practice heuristics are used, e.g. a Fiduccia&Mattheyses algorithm that it- 
eratively takes or rejects invariants for encoding Q. Obviously, the quality of 
the final encoding depends on the initial selection of invariants and the order in 
which they are processed. 

The final encoding of each place can be computed as the conjunction of the 
encoding function used in each particular SM; that is, 

^iPj)= n ■ 

li'.pjGVi 

The following minimum cost encoding using 10 variables (with density T>pn = 
5/10 = 0.5) can be found: 

— SMi covering places {pi,P 2 ,P 6 ,P 8 } (2 variables). 

— SM 3 covering places {p 9 ,Pio,Pi 2 ,Pi 4 } (2 variables). 

— SM 4 covering places {p 9 ,pii,_pi 3 ,_pi 4 } (2 variables). 

— The rest of places encoded with one variable per place (pa, pi, ps and py). 



4.3 Combining SMs for a Denser Encoding 

The encoding scheme presented in the previous section can be further improved 
by taking into account that places may be covered by more than one invariant. 
In that case, a place can be over-encoded, resulting in a less dense encoding 
scheme. Intuitively, each place only needs to be encoded once even though it can 
be covered by several SMs. 

A denser encoding scheme can be implemented as follows. Let us assume that 
a subset of SMs, {/i, . . . , A-i} is already used to encode some places of the PN. 
Let us include now an additional SM U covering the places Vi. We can partition 
Vi into two subsets Vi = Vf°'^ U V^^'" . Vf°'^ contains all those places already 
covered by {/i, . . . , A-i}, whereas contains the places only covered by A. 
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Given that places in p™’' have been already encoded in other SMs, we 
only need additional variables to encode the places remaining in P"®™; that 
is, riog2(|'P"®’"|)l variables. Since most of the SMs of a PN overlap each other, 
encoding the places in rather than the whole set Vi should lead to much 

dense encodings. 

Once we have determined the number of variables, we need to define the 
conditions under which binary codes have to be assigned to encode each place. A 
valid encoding for A would be any function £/. : Vi ^ Mn (n = riog2(|'P"®’"|)l) 
such that assigns a unique minterm to each place in P"®’"; i.e. 

G Vi'"'^,pj yf pk ■■ SiAPj) ■ ^hiPk) = 0 . (3) 

Equation ^ imposes looser conditions than 0 , because no encoding restric- 
tion is defined over places already covered in 7?®°'". This encoding scheme will 
use the new Boolean variables to both encode the places in 7?'*®™ and 7^®°'". In 
that way, a certain degree of over-encoding is introduced for places in T?®®"® . 

Note that for each place p G T?^"®™ there may be a set of places Vp in 7^®°’' 
with the same code as p, i.e. 

Vp = {p' G vr I ■ £u{p') ^ 0} • 

This ambiguity is only apparent since the marking of p can be indirectly deter- 
mined by the marking of the other SMs encoding the places of Vp . In the extreme 
case of having a single place in V^™ no additional variables are required be- 
cause the value of p can be determined by using the places in P®°’', i.e. p will be 
marked iff no other place in 7??°® is marked. 

The number of variables required to encode the PN depicted in Fig.^can be 
reduced by using the improved encoding technique. A minimum cost encoding 
using 6 variables (with density T>pm = 5/6 = 0.84) can be found. To derive this 
encoding all SMs available in Fig.Jhave been used, but only a subset of places 
in each SM is covered: 

— SMi covering places {pi,P2,PQ,Pi\ (2 variables). 

— SM2 covering places {7*3, 7*7} (1 variable). 

— SM^ covering places {7*9, 7»i0i 7*12, 7'i4} (2 variables). 

— SM/i covering places {t*! 1,7)13} (1 variable). 

— S'Ms covering place {7)5} (0 variables). 

— SMq covering place {7)4} (0 variables). 

Figure^shows all SMs of the PN with the suggested codes to be assigned to 
each place. The encoding described in Table H can be derived for the places of 
the PN maintaining the one-to-one relation between markings and binary codes. 



4.4 Characteristic Functions for Places 

In general, every place p can be covered by several SM-Components. By using 
the improved encoding approach presented in the previous section, only one of 
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Table 1. Encoding for the dining philosophers example in Fig.^ 



SM / place 
variables 


SMI SMS SM2 SM4 SMS SM6 

XlX2 XsX4 X5 Xq 


Encoding 


Pi = xi X2 


pg = X 3 X4 


Pi = P9 = Xe 


P5 = 1 P4 = 1 


P2=~^ X2 


Pro = ^ ®4 


P3 = X5 


Pll = xg 




P6 = X2 


Pl2 = X3 X4 


P7 = Xs 


Pl3 = X& 


Ps = X\^ 


P14 = Xa ^ 


PS = X3 Pl4 = Xe 





Table 2. Characteristic functions for the places according to Tabled 



X[pi] = 


X[ps] = *1 ^*5 


xbz] = 


xbs] = 


x[Pi] = ^ (a;i -f X 2 ) 


x[Pio] ='i^X4 


X[Pi] = Xl X 3 X 3 +XT X4^ 


xbll] = ^{X3 + X 4 ) 


x[ps] = -1- X2 


xbia] = X3 X4 


Xbe] = xi X2 


xbis] = X6 (^3-1- 2 : 4 ) 


xlPr] = X5 -f X 2 ) 


xbw] = X3'o^xe 



the SMs will be used to encode p, whereas the other SMs will merely assign p a 
code already used for other places. 

Let us call Ip the SM used to encode place p. The characteristic function of 
place p {x[p\ markings with p marked) is the following: 

x[p]=£iAp)- a (4) 

p'^p: £/p(p)'f/p(p')A0 

The characteristic function for each place in Fig.Jis shown in Table^ 

5 Bounded PN Encoding 

This section will show how invariants can be used to efficiently encode any 
bounded PN. The goal is to characterize the number of tokens in each place 
by using the information available in a given invariant. Each invariant describes 
the distribution of tokens in its places for any reachable marking. However, the 
analysis of token configurations inside a general invariant is more complex that 
in a simple one-token SM-Component. 

To illustrate the proposed encoding scheme we will use the PN depicted 
in Fig. Q This PN can be decomposed into the invariants in fl. A sparse 
scheme requires 10 Boolean variables to encode all places, resulting in a den- 
sity of DpN = |"log2(7)]/10 = 0.36. 

First, we will analyze which are the reachable markings characterized by 
each invariant. A number of variables should be assigned to encode each invari- 
ant. However, once an invariant has been encoded, less variables are required 
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to encode the remaining invariants. We introduce a greedy methodology to se- 
lect which invariants should be encoded first, based on the variable reductions 
obtained compared to the sparse scheme. 

5.1 Token Configurations in Invariants 

Let us define a token configuration Ci as an integer assignment to places of an 
invariant. A token configuration can be total or partial. A total token configura- 
tion defines the token count for all places in the invariant, while a partial token 
configuration only defines the count for a subset of places. Given the invariant 
Ii for the PN in Fig.O {{pij 1}) {P 2 , 1}, {P4, 2}} is a total token configuration, 
while {{pi, 1}, {p 2 , 0}} is a partial token configuration. 

The exhaustive analysis of each invariant provides all possible token configu- 
rations that may correspond to potentially reachable markings. The generation 
of all potential token configurations can be represented as a tree (see Fig.O) 
where each node corresponds to a place and the arc to each child is labeled with 
possible token assignments. Each leaf in the tree represents a total token con- 
figuration. In general, we may generate the token configurations of an invariant 
that has been partially encoded (e.g. see Section^Ofor safe nets). The subset 
of the invariant that has been already encoded will be depicted in a rectangular 
root node in which each outgoing arc to its child is labeled with the number of 
tokens already assigned to places (in Fig.^no place has been encoded, hence 0 
is assigned to the root node and its arc). For both invariants I\ and I 2 in Q 
there exists 10 and 9 total token configurations respectively, as shown in Fig.fl 

In order to characterize the token configurations that may lead to potential 
markings, we define the potential marking function for an invariant A as: 

PMi, : ^ { 0 , 1 } ; 

where Vi is the set of places in A. The PM function characterizes the token 
configurations Cj € that satisfy (PMj.^Cj) = 1) or not {PMj^{Cj) = 0) 

the invariant, e.g. (jpi, l}{p 2 , 0}) = 0 and PM/i({pi, l}{p 2 , 1}{P4, 2}) = 1 
(see Fig.fl. Let Cj. be the set of potentially reachable total token configurations 
in Ii. 

The combination of information from several invariants further improves the 
characterization of the potentially reachable markings. Basically, it is known that 
any reachable marking must agree with all the invariants in the PN. Therefore, 
if a token configuration does not exists in one invariant then it can not be valid 
for any other invariant of the PN. 

InFig.nPM/i({pi, 2 },{p 2 , 2 j) = 1 but 2}, {p 2 , 2}) = 0; therefore 

the token configuration {{pi, 2}, |p 2 , 2}, |p 4 , 8}} is not valid for Ii and we can 
update the PM function with PMj^{{pi,2}, {p 2 , 2}, {p 4 , 8}) = 0. Similarly, the 
token configurations between the invariants in Fig. H™dicates that, in fact, 
no marking with {{pi, 2}, {p 2 , 2}}, {{pi, 3}, {p 2 , 1}} or {{pi, 1}, {p 2 , 0}} could 
exist. The corresponding arcs in the solution trees are eliminated (denoted by 
shadowed configurations in Fig.^. We can conclude that each invariant has 8 
possible token configurations. 
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Fig. 5. Token configurations for the invariants of the example in Fig.H 



Once we have determined the potential token configurations in each invariant 
we can assign Boolean variables to encode each combination of tokens. The 
number of variables required to encode the invariant is = [log2(|C/J)] . Then, 
any injective encoding function £J^ : (n = V/J is appropriate to 

encode the invariant. Each different total token configuration must be assigned 
a unique minterm, i.e. 



yCj,Ck & Cj., j ^ k : £/.(Cj) • £/;(Cfc) = 0 . (5) 

For the invariants in ^ we have to encode 8 different token configurations, 
therefore \log 2 { 8 )~\ = 3 variables are required for each invariant. 

Fig. H describes a Decision Diagram with one possible encoding of invariant 
I\ using three Boolean variables (denoted X1...X3). Each one of the 8 total 
token configurations (Co, ... , C7) is encoded by a different assignment to variables 
xi . . .X 3 (a, different minterm described by each branch of the tree). For example. 
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Fig. 6. DDs for the encoding of token configurations in Ii. 

the token configuration C4 = {{pi, 1}, {p2j 2}, {p4, 6}} is encoded as £/j(C4) = 
W[X2Xz- 



5.2 Invariant Selection for Dense Encoding 

Similarly to the techniques used for safe PNs, places that appear in different 
invariants do not need to be encoded multiple times. Each place must be encoded 
only at one invariant. The invariant selection process can be formulated as a 
Covering Problem in which each place can be covered by an invariant or left 
uncovered (using sparse encoding) . The goal is to select a number of invariants 
that minimizes the total number of variables in the encoding. 

To avoid the inherent complexity of covering problems, a heuristic algorithm 
has been derived to select in which invariant a place should be encoded. Basi- 
cally, we choose the invariant that requires less variables compared to the sparse 
encoding technique and that has less token configurations to have better control 
of the minterm assignment process. Given the PN in Fig.^^'); sparse encoding 
requires 8 variables for invariant Ii and 6 variables for l 2 - Using the proposed 
dense encoding only 3 variables are required for each invariant. Invariant Ii will 
be encoded first because we obtain an improvement of 5 variables with respect 
to the sparse technique. 

When each potential marking has been encoded it is possible to derive the 
encoding function Sj. : V x TN Tn that characterizes when a place holds a 
number k of tokens (n = V/J. This function is the union of total token configu- 
rations C that satisfy {p, k} G C, i.e. 

V ■ 

Ci6C/. : {pj,fc}GCi 



SlXPjik) 
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Fig. 7. DDs for the encoding of places in Ii. 

A multi-valued encoding function : P ^ IN x Tn is defined to characterize 
all token assignments for each place, i.e. 

^h{P 3 ) = \/ . 

Vfc 

The token assignments in £j.(pj) can be efficiently represented by means of 
ADDs. Each branch of an ADD describes a set of binary codes that are assigned 
to a certain integer value (the token count). Fig.^a) explicitly depicts the ADDs 
for the characteristic function of places in /i, e.g. 

^h{pi) = 0 X {XiX2 + Xi'^Xs) -I- 1 X {xi'^'^ + W[X2X3) + 

2 X {W[X2X^ +W['^X3) -I- 3 X . 

£ii{P 2 ) = 0 X {^X2X^ + -fix (a;ia; 2 a ;3 + xix^x^+ ^1^X3) + 

2 X (a;ia;2^ -I- ^a;2a;3) + 3 x {x\x^X3) . 

On the other side, BDDs are used to represent the subset of markings in 
which places have a particular token count. Each branch of a BDD describes a 
set of binary codes that either belongs to the set (if the leaf node is TRUE) or 
not (the leaf is FALSE). Fig. Ha) depicts the BDD for the the characteristic 
function of Ei^{pi, 0 ) = X\X2 + X1X2X3. 

Once an invariant has been encoded the rest of invariants may need fewer vari- 
ables because some places have been already encoded. In the example, places pi 
and p2 have been already encoded by I\ and therefore fewer token configurations 
need to be described when considering I2 ■ The number of tokens accumulated in 
Pi +P2 can be easily computed by operating the ADDs corresponding to Ei-^{p\) 
and Ei^{p2) H’ i-®- 

^ii{Pi) + ^hi.P-2) = 1 X (a;ia;2a;3) -|- 2 x (xix^x^+ xiX2'^ + '^X2'^) + 
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Fig. 8 . DDs that characterize the encoding of invariant I2 after encoding Ii. 

3 X {xi'^X3 + XTX2X3+'xTX^X3 + XT'^'^) . 

The result shows that only three token configurations exists for the addition 
of both places, corresponding to pi + P2 = { 1 , 2 , 3 } (see Fig.^^))- Now, it is 
clear that the value of £i^{p^) can be implicitly derived according to invariant 
^2 : Pi +P2 +P 3 = 3 (see Fig.^b)). 

The root node (P1+P2) of the token configuration tree (see Fig^b)) holds an 
implicit encoding due to the binary codes previously assigned to other invariants. 
We denote this encoding function as implicit encoding function £]. : — *■ Tm 

because assigns to each token configuration a function that depends on all the 
m Boolean variables already assigned in previously considered invariants. In 
Fig.^Et) we have that £]^{Co) = X1X2X2,, £]^{Ci) = x\x^x^ + xiX2X^ +xxX2ti^ 
and £}.(C2) = xi^ X3 + XTX2X3 + 

Given the root encoding function, the remaining part of the invariants may 
need fewer variables because the conditions in ^ for the encoding function £j. 
can be relaxed to: 

VC, ,Ck€Cj„ : £l (C, )£j, (C,) ■ £^ (C,)£j, (C,) = 0 . ( 6 ) 

Only those token configurations with encoding functions that may intersect 
should be assigned a unique code (the implicit encoding already prevents some 
intersections). Hence, the number of variables for encoding is reduced to: 

[log^llC. : 3C,,z^j s.t.£l(C.)-£l(C,)^0}l] . 

Finally, if Ip is the invariant used to encode place p, the multi-valued char- 
acteristic function x[p] of place p must combine the codes assigned in Ip with 
the implicit information assigned from other invariants, i.e. 

x[p] = V fcx V £liC.)£i^{C,) 

Vfc CiGC/p : {p,fc}GCi 



( 7 ) 
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In that case no additional variables are required to encode ps . The encoding 
for x(P 3 ) can be created as xiPa) = 3 - (SiApi) + ^h(P 2 )) D’ i-®- 

XiPs) = 0 X (xi^ X3 + XTX2X3 + xT^X3 + xT^^) 

1 X + xiX 2 '^ + ^X 2 X^) + 2 x (a;ia; 2 a; 3 ) . 

The overall encoding process can be described as follows: 

1. Compute the potentially token configurations for each invariant. 

2. Encode the invariant that provides the maximum variable decrease with 
respect sparse encoding and minimal number of token configurations. 

3. Eliminate invariants with all places already encoded. 

4. Update the token configuration trees for the remaining invariants. 

5. Repeat from 2 until all places have been encoded. 

The encoded reachability graph for the PN in Fig.Ja) is shown in Fig.^b). 

6 Computation of Potentially Reachable Markings 

Invariants not only provide an efficient mechanism to encode places in a PN, 
but offer an initial approximation of the RS. Any reachable marking must agree 
with the initial marking at any invariant of a PN. Therefore every invariant can 
be used to divide the Boolean space into a set of potentially reachable markings 
and a set of unreachable markings. 

The general situation that we consider arises whenever binary codes are left 
unallocated to any potential token configuration. Given a general invariant R : 
o-iPi + . . . + amPm = N, the characteristic function x[A] of all markings that 
satisfy that equation is constructed by: 

1. Operating the characteristic function x(Pi) of all places in the invariant, i.e. 
EpjeVi <^i-x[Pj]-, 

2. In the resulting function, all leaf nodes that are equal to N correspond to 
markings that satisfy the invariant (x[A] = [N — 'A2pjeVi ’ x[Pj] = 0])- 

Since any reachable marking has to satisfy all the invariants, the upper bound 
of the RS is obtained as the conjunction of the characteristic functions for all 
invariants. 

The characteristic function for one token SM-Components can be easily com- 
puted by operating the characteristic function of each place. Given an invariant 
li, when a place pj G Vi is marked {x[Pj] = 1) the rest of places cannot be 
marked; hence, the characteristic function is computed as: 

x[ii] = x[pj] ■ [ x[pk]] ■ 

PjC'Pi pkeVi,k^j 

Approximations of the RS computed by using structural information im- 
proves the symbolic analysis of the PN in two ways: 



Structural Methods to Improve the Symbolic Analysis of Petri Nets 



43 



Table 3. Comparison between sparse and dense encoding schemes for safe PNs. 



PN 


Sparse 


encoding 


Dense encoding 


name 


P 


T 


RS 


V 


nl'R 


nRS 


CPU 


Ninv 


Nnodes 


V 


nTR 


nRTR 


nRS 


CPU 


mullerlO 


40 


20 


4.2 X 


10^ 


40 


180 


770 


1 


10 


40 


20 


140 


123 


189 


1 


muller20 


80 


40 


2.5 X 


10® 


80 


360 


3188 


9 


20 


80 


40 


280 


241 


668 


3 


mullerSO 


120 


60 


6.0 X 


lO’’ 


120 


540 


6694 


51 


30 


120 


60 


480 


426 


1390 


13 


phil5 


65 


50 


8.5 X 


10^ 


65 


330 


639 


2 


15 


125 


25 


644 


459 


158 


2 


phillO 


130 


100 


7.4 X 


10® 


130 


660 


7805 


40 


30 


250 


50 


1284 


914 


433 


24 


phill5 


195 


150 


6.4 X 10^“^ 


195 


990 


87419 


700 


45 


375 


75 


1924 


1369 


708 


124 


slots 


50 


50 


1.7 X 


10® 


50 


330 


673 


14 


10 


50 


25 


325 


283 


129 


5 


slotlO 


100 


100 


3.8 X 10“ 


100 


660 


2516 


1006 


20 


100 


50 


650 


581 


460 


309 



Table 4. Comparison between sparse and dense encoding schemes for bounded 
PNs. 



PN 


Sparse 


enco 


ding 


Dense encoding 


name 


P 


4' 


RS 


V 


nl'R 


FrH 


UFu 


Ninv 


Nnodes 


V 


nl'R 


nRS 


CPU 


prod 


8 


8 


7 


11 


107 


29 


0 


4 


41 


5 


131 


12 


0 


robotl 


17 


8 


1.6 X 10® 


28 


208 


389 


1 


11 


222 


12 


99 


58 


1 


robot2 


15 


6 


4.8 X 10^ 


24 


149 


243 


1 


10 


69 


6 


817 


9 


1 


robotl2 


24 


14 


1.3 X 10® 


40 


358 


1330 


2 


13 


9465 


18 


647 


141 


7 



— A set of markings that is known to be unreachable offers a number of binary 
codes to be used as don’t care set. The BDD representation of functions 
involved in the symbolic analysis can be simplified by using this don’t care 
set. In particular, the size of the transition relation and the RS of the PN 
can be reduced. 

— The potential RS approximations may already provide enough information 
to determine if the properties under analysis are satisfied in a positive or 
negative way without requiring the symbolic traversal of the PN. 



7 Experimental Results 

The efficiency of the proposed encoding technique is measured in terms of reduc- 
tions achieved for number of variables, BDD nodes to represent the transition 
relation and the RS of the PN, and CPU computation times. 

TableHcompares the results of symbolic traverse after both sparse and dense 
encoding of several safe PNs based on the general invariant-based algorithm. 
Scalable examples have been used. Muller describes a Muller pipeline with n- 
stages, Phil describes n competing philosophers. Slot a model for the slotted-ring 
protocol with n stages. We have analyzed the results obtained by using a sparse 
encoding (labeled Sparse) and a dense encoding with set of minimal invariants 
computed with algebraic techniques (labeled Dense). For both cases we provide 
the number of Boolean variables required by the encoding (U), the number of 
BDD nodes to represent the transition relations (nTR) and the RS (nRS), and 
the computation times {CPU). Additionally, for the dense encoding we provide 
the number of invariants that have been used {Ninv) and the total number of 
token assignments generated along the encoding process {N nodes). When using 
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the potentially reached markings to simplify the TR of the PN the number of 
BDD nodes is also presented (nRTR). 

The experiments show that 50% variable reductions or better can be ob- 
tained. The influence of these results is evident on the number of BDD nodes 
to represent the RS (70% to 90% are obtained) and on the computation times 
(40% to 80% speedups are achieved) . Conversely, the number of BDD nodes to 
represent the transition relations may even increase due to the complexity of the 
encoding assignments. The computation of the potentially reachable markings 
also help to further reduce the size of the TRs between 10 30%. 

TableHcompares the results of symbolic traverse after both sparse and dense 
encoding of a few bounded PNs. The examples describe several robot control 
automatons. Again 50% variable reductions can be obtained. The influence of 
these results is also quite significant on the number of BDD nodes to represent 
the RS. However, the increase in the number of nodes to represent the transition 
relations may reduce the computation speed-ups. Further research is needed in 
that direction. From the robotl2 example it can also be seen that in same cases 
the number of token configurations may be even bigger that the reachable states. 
Heuristics must be derived to avoid exploring invariants with large number of 
configurations. 

8 Conclusions 

This paper has presented encoding techniques that improve the efficiency of 
symbolic methods for the analysis of PNs. Structural PN theory provides sets of 
P-invariants to identify interrelations among places, which allows to immediately 
identify sets of unreachable markings. These techniques alleviate the complexity 
of the existing symbolic techniques for the calculation of the exact reachability 
set. 

The structural theory of PNs goes beyond P-invariants. Although the struc- 
ture is not enough for the exact analysis of a PN, it provides information that 
can be efficiently combined with symbolic analysis. Future work intends to de- 
rive a general framework to combine the efficiency of the structural PN theory 
with the accuracy of the symbolic techniques. 
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Abstract. Stubborn sets are a tool for state space reduction preserving 
certain system properties. We present stubborn set approaches for all 
popular Petri net standard properties. This extends the list of properties 
that can be analysed successfully (including boundedness, reversibility). 
For other properties, our approach can lead to larger reductions (reach- 
ability) than previous ones. Furthermore, shortest and cheapest witness 
paths for several properties are now preserved. 



Keywords: (Theory) Analysis of nets. Computer tools for nets 

1 Introduction 

Using stubborn sets, situations where sequences of transitions can fire in arbi- 
trary order are detected. By firing as few as possible of the possible permutations, 
the size of state spaces can decrease significantly. Reduction is obtained by firing, 
at a marking to, only some transitions at each state, collected in the stubborn set 
St{m). The art of stubborn sets is to keep the reduced size as small as possible, 
but large enough to preserve a given property of the underlying system. 

The first, and still most popular, application field of stubborn sets was the 
dead marking problem [9]. Then, eliminating the problem of ignored transitions, 
other standard properties like liveness and dead transitions could be preserved 
[10]. The stubborn set concept was generalised to language preservation [10] 
and linear time temporal logic (LTL) model checking [11,12,6,3]. These two 
approaches depend on the distinction between visible and invisible transitions, 
i.e. transitions that do or do not influence the desired property. The language 
of visible transitions is fully preserved while state space reduction concerns only 
invisible transitions. Though visibility can be relaxed in some situations [5, 17], 
the general approaches do not work very well for global or almost global proper- 
ties (properties with a small number of invisible transitions). Furthermore, care 
must be taken to the ignoring problem. 

Attempts to apply stubborn sets to model checking for the branching time 
logic CTL [2] lead to significantly stronger restrictions (i.e. larger stubborn sets) 
than LTL-preserving methods. 

In [13-15], many derivatives of the stubborn set method are surveyed. 

We propose another policy of stubborn set creation. Where most existing 
methods consider stubborn sets as a superset of a single enabled transition (ar- 
bitrarily chosen), our stubborn sets are supersets of attraetor sets of transitions. 
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These attractor sets play a key role for directing the generation of the reduced 
graph into the desired direction. This concept is also present in the tester con- 
cept in [12] where the actions of the tester process are closely related to our 
attractor sets. However, the tester concept treats visible transitions in a similar 
way as language preserving stubborn sets and is therefore not suitable for global 
properties. 

We present our method property by property. Thereby we start with bound- 
edness and reachability. Having done this, we generalise the pattern of our 
methodology. Then we discuss invariance and satisfiability of state predicates on 
a more general level. We continue with the preservation of shortest and cheapest 
paths. After that we revisit the dead transition and dead marking problems. For 
preserving liveness and reversibility, we study stubborn sets in the context of 
strongly connected components of the reachability graph. We close our list of 
properties with the (more complicated) home state problem. 

2 Petri nets 

For the purpose of simplicity, we present the approach for place/transition nets. 
However, the idea can be easily transferred to other formalisms that have a 
concept of stubborn sets. 

Definition 1 (Petri net). A tuple N = [P,T, F,W,mo] is a Petri net iff P 
and T are finite, nonempty, and disjoint sets ( of places and transitions ), F Q 
(P X T) U (T X P) (the set of arcs^, W : (P x T) U (T x P) — > N sueh that 
W{[x,y]) > 0 iff [x,y] € F (the are multiplicities^, and toq is a marking, i.e. a 
mapping toq : P — > N- 

For a place or transition x, *x = {y \ [y,x] € P} denotes the pre-set of x, 
and X* = {y\ [x,y] € P} denotes its post-set. 

Definition 2 (Transition relation). We say: t ean fire at a marking m yield- 
ing a marking m' (written: m m' ) iff for all p & P, m{p) > W{[p,t]) and 
m'(p) =m(p) -W([p,t]) + W([t,p\). 

If there exists a to' to a given to and t such that m m' , then we say: t 

is enabled at to. We extend the transition relation to sequences of transitions. 

Define m m for arbitrary to and the empty sequence e, and to to' 

R R 

{w being a transition sequence and t a transition) iff there is a to* such that 

TO TO* and TO* to'. If there is a transition sequence w such that m ^ m' , 
R R R 

we write to — > m' . 

R 

Definition 3 (Reachability graph). A direeted labelled graph is the reaeha- 

hility graph of a Petri net N = [P, T, P, W, toq] iff its set of nodes is the set of 

all reaehahle markings, i.e. {to | toq to), and [to, to'] is an edge labelled with 

R 



t iffm-^m'. 
R 
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We generalise the concept of reachability graphs such that reduced reacha- 
bility graphs are covered. 

Definition 4 (Transition system). Let M he a set of markings of a Petri net 

N eontaining its initial marking and • ^ • a relation on M x T x M sueh that 

m m' implies m m' . Then [M, ■ ^ is a transition system of N . 

R 

For any finite set W, let W* be the set of finite words over X. We extend the 
general transition relation • ^ • to the domain M xT* x M m the same manner 
as the original reachability relation. 



3 Stubborn sets 

Stubborn sets of transitions enjoy a certain independency from the remaining 
transitions. There are two different degrees of independency leading to different 
definitions. 

Definition 5 (Stnbborn set). Let m be a marking. Then a set St(m) of tran- 
sitions is stubborn in the weak sense at m iff for every sequenee w of transitions 
in T \ St{m) and every t € St{m) it holds: If there is a m' sueh that m m' 

then m to'. St(m) is stubborn in the strong sense iff additionally for every 
R 

sequenee w of transitions in T \ St(m) and every t € St(m) it holds: If there 

are rrii and m 2 sueh that to toi and to m 2 then there is an to' sueh that 

R R 

Wt / 

TO > TO . 

R 

While weak stubborn sets require the ability to sort stubborn transitions to 
the beginning of a sequence, strong stubborn sets require the exchangeability of 
stubborn and non-stubborn transitions in both directions. 

In many papers, sets as defined above are called semistubborn. For our ap- 
proach, a distinction between semistubborn and stubborn sets is not necessary, 
so we use the shorter name. Note that in our setting the empty set of transitions 
as well as the set of all transitions are always stubborn in both senses at any 
marking. 

Given a mapping St assigning a stubborn set to every marking to, we can 

construct a reduced reachability graph in the same way as the full reachability 

graph. All we have to do is to replace the original reachability relation to — > m' 

R 

by a new relation to — ^ to', where to — ^ to' iff to to' and t G St(m). 
St St R 

Building a graph starting from toq and using this relation, we obtain a transition 
system being a subgraph of the reachability graph. 

If we assign the set of all transitions as stubborn set to all markings, then the 
reduced graph is identical to the full graph. If we assign the empty set to toq, 
then the reduced graph contains only toq itself. It is difficult to deduce interesting 
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properties from the latter graph. Thus, the art of applying stubborn sets is to 
choose stubborn sets that are large enough to preserve certain properties, but as 
small as possible in order to obtain a significant reduction of the search space. 

For this purpose we come up with a given set A{m) of transitions that may or 
may not depend on m and use a (preferably small) stubborn superset of A(m). 
We denote a stubborn superset of A{m) at a marking m by St{m,A). The set 
A{m) shall be used for tuning the stubborn set such that it preserves the desired 
property. We call A(m) an attractor set. We refer to a reduced graph obtained 

by using St(m,A) at every marking by using the relation symbol • — 4 •. 

A 

Stubborn supersets can be calculated as a closure operation. Starting with 
A{m), we include step by step such transitions that could violate the required 
property for stubborn sets. The correctness of our results does not depend on 
the particular stubborn set algorithm used. Thus, we refer the reader to [9, 17] 
for calculation issues. According to [17], stubborn sets can also be calculated by 
removing transitions step by step from the set of all transitions. This algorithm 
can also calculate stubborn supersets of A since it can mark some transitions as 
unremovable. 

4 The ignoring problem 

For some properties (for example, liveness, reversibility) it shall be necessary to 
consider the ignoring problem. These properties as well as ignoring are related 
to the strongly connected components of the reachability graph. We study the 
ignoring problem only for bounded nets, i.e. finite state systems. 

Definition 6 (Strongly connected components). Let [M,- -A ■] be a tran- 
sition system. Two markings m and m' are mutually reachable (m ^ m' ) iff 
m ^ m' and m' A- to. A strongly connected component (SCC) of [M, • ^ •] is 
an equivalence class of M with respect to A terminal strongly connected com- 
ponent (TSCC) is a strongly connected component C where m G C and m ^ m' 
imply m' G C. 

Finite transition systems have at least one TSCC. TSCC are the maximal 
elements of the reachability relation between SCC (define C\ -A- C 2 iff there 
exist TOi e Cl and m 2 G C 2 such that toi m 2 ). Reachability between SCC is 
a reflexive partial order relation. 

Definition 7 (Ignored transition). Let [M,- -A ■] be a transition system, C 
one of its TSCC, and t a transition. If for all m G C, t is enabled at m but for 
no to' the arc m -A m' is contained in the transition system, then t is ignored. 

Using Tarjan’s algorithm for the detection of SCC during depth first graph 
exploration, it is easy to construct a graph without ignored transitions. Imme- 
diately after the last marking to of a SCC is entered the last time, the SCC is 
recognised and can be identified as terminal or non-terminal. If it is terminal, 
we can check for ignored transitions. If there are any, we can enlarge the set of 
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transitions to be fired at m without threatening the depth first nature of graph 
exploration. 

Avoiding ignored transitions aims in the following property, proved in [10]: 

Proposition 1 (Ignored transitions and TSCC). If a transition system is 
reduced with respect to stubborn sets in the strong sense and does not contain 
ignored transitions, then for every TSCC C of the full reachability graph there 
is a m G C contained in the reduced transition system. 



5 Existing stubborn set approaches 

We give a brief overview on some relevant stubborn set methods in the context 
of standard properties. 

Basic stubborn sets use weak stubborn sets containing an enabled transition 
without further restrictions. They preserve all dead markings and one infinite 
path if there is one in the full graph. No other properties are preserved though 
some (for instance, reachability) can be traced back to the dead marking problem 
by some net transformations. 

Extended stubborn sets use strong stubborn sets and remove ignored transi- 
tions. This way, in addition to basic stubborn sets, we can preserve dead transi- 
tions and liveness. 

Language preserving stubborn sets assign a letter or the empty word to every 
transition. The transitions that are labelled by the empty word are called in- 
visible, the remaining ones are visible. The language of the net is the set of all 
sequences of labels oi finite firing transition sequences. Using extended stubborn 
sets with the further restriction that a stubborn set either does not contain en- 
abled visible transitions or includes all visible transitions, the language of the net 
in the above sense is preserved. This technique can be used for the preservation 
of many safety properties. 

LTL-preserving stubborn sets preserve formulas of a next-step free linear 
temporal logic. They are based on language preserving stubborn sets where all 
transitions that can potentially change the value of atomic propositions in the 
given formula are treated as visible. Additionally it is required that for every 
visible transition t and every infinite path of the reduced graph (in particular, 
every elementary cycle) there is at least one state where t is in the stubborn set 
used. 

CTL-preserving stubborn sets preserve formulas of the branching time tempo- 
ral logic CTL. They are based on language preserving stubborn sets and obey the 
additional restriction that a stubborn set either has only one enabled transition 
which is invisible or contains all enabled transitions. This restriction guarantees 
that the branching structure of the full graph is reflected correctly in the reduced 
graph. 

The methods are characterised by an increasing number of requirements. All 
requirements potentially lead to less reduction. 
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( 1 ) 



Fig. 1. Unbounded net with finite reduced graph 



6 Boundedness 

A net is bounded iff its number of reachable markings is finite. This is the case 
iff there is an upper bound for the number of tokens in the net. Preserving 
boundedness means that the reduced graph is finite iff the full graph is. 

Definition 8 (Bonndedness). Let N = [P,T, F,W,mo] be a Petri net and 
[M,- ^ •] a transition system of N. A plaee p G P is bounded iff there is a 
number c sueh that for all m, toq ^ m implies m{p) < c. A net is bounded iff 
there is a number c sueh that for all m, toq ^ tti implies '^p^p‘m{p) < c. 

Basic and extended stubborn sets do not preserve boundedness. Con- 
sider Figure 1 (from [18]). 

At the initial marking, {a} is stubborn. At the other marking, {b} is 
stubborn. Thus, the reduced graph is finite though the net is obviously 
unbounded. No transition is ignored. 

LTL and CTL preserving approaches are not applicable to the bound- 
edness problem since boundedness cannot be expressed as a formula of 
LTL or CTL. Language preserving stubborn sets can be used in principle 
but require extended stubborn sets and must treat all transitions that 
change the number of tokens in the net as visible. 

We aim at constructing a reduced reachability graph that is finite if and 
only if the original graph is. Thus, at any marking, we want to keep the reach- 
able larger markings inside the reduced graph, while we are not interested in 
the remaining markings. Between any ’’current” marking and a larger marking, 
we always find a transition where more tokens are produced than consumed. 
Transitions of this kind form the key to the reduced graph. 

Let N = [P, T, F, LF, toq] be a Petri net and A be the set of all transitions 
t in T where Y.\p,t]eFW {[ pA) < Y.[t,p]eF W{[t,p\). A does not depend on a 
particular marking. Nevertheless we use it as attractor set. Consider the reduced 
graph obtained by using a weakly stubborn superset of A at every marking. Then 
it holds: 

Theorem 1 (Preserve boundedness). The full reaehability graph is finite if 
and only if the redueed graph as deseribed above is finite. 

Proof. If the original graph is finite, then the reduced graph as a subgraph 
is finite as well. 

Let the original graph be infinite and assume that the reduced graph is finite. 
This means that there is a number c such that for all markings m appearing in 
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Fig. 2. Situation studied in the proof of theorem 1 



the reduced graph (i.e. satisfying toq "^peP ^ ^ while in the original 

graph, there is a marking m* such that toq fn* and Y^p^p‘m*{p) > c. mi;, 

appears as well in the reduced graph. Thus, there are markings m and transition 
sequences w such that toq to and m to*. Select among all those to 

and w such rrimin and Wmin that length of Wmin is as small as possible. Since 
EpGP™ minip^ ^ c and y p ttr (p) ^ c, an element of A must appear in 
Therefore Wmin contains occurrences of transitions in St{m,A). Thus, we can 
find a marking to', a transition tst G St(m, A) and transition sequences w\ and 

W2 such that Wmin = w\tstW2, TO to' TO* and w\ does not contain 

R R 

elements of St{m, A) (i.e. tst is the first occurrence of a transition in St{m, A) in 

Wmin)- Note that tst is not necessarily an element of A itself. The situation we 

have found so far is illustrated in figure 2. According to Definition 5, there is an 

TOi such that TO TOi —At to'. Since tst is in St{m, A), rrii is contained in the 
R R 

reduced graph. Furthermore, there is a path from m\ to to*, namely W\W 2 - See 
figure 3 for an illustration of the last conclusions. The path w\W 2 is shorter than 
Wmin , ill contradiction to the selection of Wmin ■ The only assumption that could 
be responsible for this contradiction is the boundedness of the reduced graph. □ 

In the example at the beginning of the section, we would always choose {a} 
as stubborn set, since it is the only transition that increases the number of tokens 
and is stubborn. 

The choice of relevant transitions can be refined when structural knowledge 
is available. For instance, if we know a set of semi-positive place invariants, we 
can replace the set A by the set of all pre-transitions of places not covered by an 
invariant. The proof follows the same pattern: prove that between the current 
marking and a larger marking there is a transition of the new attractor set, 
and therefore there is an element of the stubborn set, too, included in the path. 
Consequently, there is always a shorter path than the selected minimal one. 

The largest reduction can be obtained in those cases where A is empty. In 
this case, we can use the empty set as stubborn set which means that the reduced 
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Fig. 3. Main conclusion in the proof of theorem 1 
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graph consists of toq only. This is nevertheless correct since in this case the net is 
conservative and consequently bounded. The controlled use of empty stubborn 
sets or sets without enabled transitions is an important difference between the 
original and our stubborn set approach. 

Our reduced graph preserves boundedness of a net, but not necessarily bound- 
edness of particular places. For instance, if we add an output place to transition 
b of our introductory example, our reduced graph would always fire a and leave 
the new place unmarked. Therefore, preserving boundedness of particular places 
requires to calculate a reduced graph with respect to another set of relevant 
transitions. 

Theorem 2 (Preserve boundedness of single places). Let p be a plaee of 
a net N = [P, T, F, W, toq] and m a marking. If a redueed graph is ealeulated by 
firing a weakly stubborn superset St(m,*p) of *p at m, then p is bounded in the 
redueed graph if and only if it is bounded in the original graph. 

The proof follows the same pattern as the proof concerning boundedness of 
the net. Instead of showing that an element of A appears on a path between the 
current and any target marking, we show that an element of *p appears there. 
Call *p an attractor set for the single place boundedness problem. 

In combination with the coverability graph method [4, 1], the reduced graph 
generation can be used to decide boundedness of places of the net. The combined 
approach works exactly like usual coverability graph generation [4, 1] but consid- 
ers only a stubborn set of transitions at every generalised marking (generalised 
markings do not impose a problem to stubborn set generation since enabledness 
is clearly defined). 

For preserving boundedness of particular places, [16] suggests to con- 
sider the formula 3k{Om{p) < k). Thereby □ is the always operator of 
linear time temporal logic. The existential quantifier is not part of the 
logic, therefore the formula must be treated as an infinite disjunction. 
Fortunately, all parts of the disjunction share the same set of visible 
transitions, namely *pUp*. This opens the way to use language or LTL 
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preserving stubborn sets for the bounded place problem. However, this 
proposal requires further investigation since we deal with potentially 
unbounded systems where the combination with coverability graphs is 
compulsory. It is not obvious how the ignoring problem is solved since 
the coverability graph does not completely reflect the SCC structure of 
the original graph. For our approach, weak stubborn sets are used in the 
basic sense, i.e. no information about the graph structure is involved. 

7 Reachability 

Let TO* be a marking, called the target marking. We aim at constructing a 
reduced graph that contains to* if and only if the full graph does. 

Language, LTL and CTL preserving approaches do not work well on 
this problem since there are no invisible transitions with respect to the 
reachability of to* (except in the boring case of transitions that do not 
change a marking at all) . 

The reachability problem can be transformed into a dead marking 
problem. This method is currently implemented in INA [7]. An additional 
transition t* kills the net as soon as the target marking is covered. For 
this purpose, t* has an arc from every place p with multiplicity m*{p). 

An additional place p* is necessary having arcs in both directions to the 
transitions without input places and an output arc to t* . to* is reachable 
in the original net iff the empty marking appears in the set of dead 
markings of the transformed net. However, there are several examples 
(one is presented later in this section) where this transformation does 
not yield any reduction. 

Finally, for nets with known capacities for all places the fact technique 
can be used to transform a reachability problem into a dead transition 
problem. Then, extended stubborn sets can be used while basic stubborn 
sets are not sufficient. 

Let TO be a marking of the reduced graph. We have to calculate a suitable 
stubborn set at to. If to = to* , then nothing is left to do. We can use 0 as stubborn 
set. Otherwise, there is a place p where m{p) ^ m*{p). Select an arbitrary place 
p with this property. If m{p) > m*{p), let A{m) = p* . li m{p) < m*{p), let 
A{m) = *p. It is sufficient to use stubborn supersets of A{m) in the weak sense. 

Theorem 3 (How to preserve reachability). If a reduced graph is con- 
structed using the stubborn sets described above, then the reduced graph contains 
TO* if and only if the original graph does. 

Proof. If TO* is not reachable in the original transition system, then it cannot 
be reachable in the reduced system, since the reduced transition system is a 
subsystem of the full one. 
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Assume, m* is reachable in the full graph, but not in the reduced graph. 

Since at least toq is contained in the reduced graph and toq — > rn* , we can 

R 

select such marking m and transition sequence w that toq ™ ^ 

w has the shortest possible length. Consider the stubborn set A{m) used at m. 

If TO = TO*, nothing remains to show. Otherwise we selected a place p where 

m(p) < m*(p) or m(p) > m*(p). In the first case, sequence w must contain a 

transition producing tokens on p. In the second case it must contain a transition 

removing tokens from p. Therefore, in both cases w contains transitions from 

A(m). Thus, we may divide w into w\tw 2 where t is the first appearance of a 

stubborn transition at to and w\, W 2 are transition sequences. The definition 

of stubborn sets states the existence of a marking toi such that to toi and 

A 

nil TO*. W 1 W 2 is obviously shorter than w, in contradiction to the selection 

of w. □ 



Example. Figure 4 depicts an unbounded net. According to [8], this net was 
introduced by H. Muller in the early 80ies. Reachability of some markings in 
this net is not easy to see, since (as the following considerations shall show) it is 
necessary to go ”to the wrong direction” first before reaching a certain marking, 
which appears to be a difficult situation for our approach. 

We want to analyse the reachability of the marking (2, 2, 0,0,1) from the 
depicted marking (1,2, 3, 1,0). This marking is indeed reachable, for instance 
via the following shortest path: 
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(1,2, 3, 1,0) A (2,3,3, 0,1) A (2,2,4,0,1) A (2,4,2, 0,1) A (2, 6,0, 0,1) 

R R R R 

A (2,4, 1,1,0) A (3,5,1,0,1) A (3,3,2, 1,0) A (4, 4, 2,0,1) A (4,2,3, 1,0) 

R R R R R 

tz 



( 2 , 2 , 0 , 0 , 1 ). 



Though the number of tokens on p2 is at toq already the desired one for the 
target marking, it is necessary to put up to 6 tokens on it before reaching the 
target marking. The marking cannot be reached without going this roundabout. 

Using breadth-first search in the full graph, we have to develop the graph 
up to depth 10 to find the marking. At that stage, 91 nodes have been com- 
puted. INA tries to modify the net such that the original reachability problem is 
translated into a reachability problem concerning a dead marking and performs 
breadth-first search on the reduced graph of the modified net. INA calculates 
94 nodes for the problem (this means, no reduction is obtained while a few addi- 
tional dead markings are generated that correspond to markings strictly covering 
the target marking). With our approach, we had to search in a reduced graph 
where only 51 nodes were computed with a depth of 10 or less (the number varies 
a bit according to the strategy to select the difference place p for stubborn set 
calculation, but the reduction remains roughly the same). 



8 The pattern of attractor sets 

In all approaches up to now (and in the sequel) , we used stubborn supersets of a 
certain set A that does (reachability) or does not (boundedness) depend on the 
current marking. In all cases, the used set consists of exactly those transitions 
that would, when fired, bring us closer to the desired situation (add tokens to 
the net or a particular place, change the number of tokens on a place such that it 
becomes closer to the desired number). In this sense, attractor sets guide graph 
generation into the desired direction. It is the task of the stubborn closure to take 
care about those situations where the desired transitions cannot fire immediately 
but only after having fired some other transitions. 

9 Satisfiability and Invariance 

We generalise the stubborn set approach for reachability to the satisfiability of 
state predicates. 

Definition 9 (State predicate). Let N be a Petri net. Any boolean eombina- 
tion of strings of the form pRk where p is a plaee of N, R G {<, >, >, <, =, ^}, 
and k is a natural number, is ealled a state predieate for N. A state predieate is 
satisfiable iff there is a marking m reaehable from the initial marking sueh that 
replaeing the plaee names p in the predieate by the eorresponding values m(p) 
transforms the predieate into a true statement (using the standard interpretation 
for the relation symbols). A state predieate is an invariant iff all replaeements 
aeeording to reaehable markings transform it into a true statement. 
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Given a target marking to*, reachability of to* is equivalent to the satisfia- 
bility of !\p^pP = m*(p). 

We assume that conjunction (A) and disjunction (V) are the only boolean 
operators used. This does not restrict generality, since negation symbols atop 
of boolean operators can be removed using de Morgan’s rules while negation 
symbols atop of atomic comparisons can be removed, since our set of allowed 
comparisons is closed under negation. Other than this restriction, we do not 
assume any normal form. Thus, we do not suffer from the well known complexity 
problems of normal form construction. 

In the sequel, we study only satisfiability of a given state predicate. However, 
satisfiability and invariance can be translated into each other by negating the 
predicate. 

As for reachability, we try to identify a (small) set of transitions, such that 
one of these transitions necessarily occurs on a path between the current marking 
and any satisfying marking. 

Let TO be an arbitrary marking. If to satisfies the predicate, then nothing is 
left to do. We use 0 as stubborn set. If to does not satisfy the predicate, then 
we define the attractor set (to) inductively. For every to that does not satisfy 
(j), we determine A^{m) such that every path from to to a marking satisfying (f> 
contains a transition in A^ (to) . When A^ (to) enjoys this property, and stubborn 
supersets of A^{m) (in the weak sense) are used for state space reduction then 
(f> is satisfiable in the reduced graph iff it is satisfiable in the original graph. The 
proof is basically the same as for reachability. 

If (f> is an atomic comparison, A^{m) can be determined as follows: 



Formula (f> Attractor set A^ (to) 



p < k 


P'-, 




p > k 


•p; 




p < k 


P'; 




p > k 


•p; 




p = k 


i-p 


if m(p) < k 


\p- 


if m(p) > k 


p^k 


•pUp* 





Let $ = (f>i A (f> 2 - Since (f> is not satisfied at to there is an i € {1,2} such that 
4)i is not satisfied at to. If none of (f>i and 4>2 are satisfied, let i be either of both 
indices. On any path between the current marking and a marking satisfying (f>, 
the truth value of must change from false to true. Thus, a transition from 
A^.(m) must occur. Consequently, we can set A^(m) = A^.(m). If we express 
the reachability problem for to* by the satisfiability problem ApGP^* “ 
then we obtain exactly the stubborn sets as discussed for reachability. 

Let (f> = (f>i\/(f> 2 - Since (f> is not satisfied at to, neither of (f>i and 4>2 are satisfied. 
Thus, between the current marking and a marking satisfying the truth value 
of either (j>i or 4>2 must change from false to true. Thus, a transition of A^^ (to) 
or A^^(m) must occur. Therefore, we can set A^(m) = A^^(m) U A^^(m). 
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Fig. 5. Reduced graph not preserving shortest paths 



Theorem 4 (Preserve satisfiability of state predicates). Using weakly 
stubborn supersets of A^(m) at every marking, satisfiability of <f is preserved 
in the redueed graph. 

Corollary 1 (Preserve invariance of state predicates). Using weakly stub- 
born supersets of A^^{m) at every marking, invarianee of (f> is preserved in the 
redueed graph. 

In this framework, many simple standard Petri net properties can be ex- 
pressed. 

It is difficult to compare our approach with language preserving stub- 
born sets. However, the stubborn sets are different. Language preserving 
stubborn sets contain either no enabled visible transition or all visible 
transitions (i.e. transitions in the environment of places appearing in (f>). 

Our stubborn sets contain always at least some visible transitions, but 
not necessarily all of them. Thus it is likely that language preserving 
stubborn sets behave better in those cases where many transitions are 
invisible while our approach is recommendable for problems with many 
visible transitions. As an example for the total absence of invisible tran- 
sitions we have already studied the reachability problem. 



10 Shortest paths 

In many situations, the existence of a path to a state satisfying a predicate is 
not the only useful piece of information in the context of reachability. For several 
optimisation problems, the shortest path to a state satisfying the predicate is 
of interest. For debugging purposes, short witness paths (for satisfiability) and 
counterexample paths (for invariance) are welcome as well. A shortest path to 
a state predicate is a transition sequence starting at mo, leading to a marking 
that satisfies the predicate, and having minimal length. 

Extended, language, LTL, and CTL preserving stubborn sets do not 
preserve shortest paths. 
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Consider Figure 5 and the state predicate p3 = 0. The only visible 
transition with respect to this predicate is t3. At rrio, {t2} is stubborn and 
t2 is invisible. Thus, it is possible to fire only t2 at toq- In the reduced 
graph (depicted in the same figure), the shortest path to a marking 
satisfying p3 = 0 has length 2. In the original graph, a marking satisfying 
the predicate can be reached by firing only one transition, namely t3. 

Basic stubborn sets do preserve shortest paths to dead states. This 
fact can be easily deduced from the original proofs but has, to the authors 
best knowledge, not received the attention it deserves. 

Theorem 5 (One shortest path is preserved). Using our stubborn set ap- 
proach to the satisfiability problem, a shortest path in the reduced graph to the 
given predicate <p has the same length as a shortest path of the full graph. 

Proof. As the reduced graph is a subgraph of the full one, a shortest path 
in the reduced graph cannot be shorter than a shortest path in the full graph. 

Let I be the length of a shortest path in the original graph to (j). We show 
that there is a path of same length in the reduced graph. Assume there is no 
path of considered length in the reduced graph. Since we consider paths starting 
at the initial marking, every path w of length I can be divided into w = W\W 2 
where w\ appears in the reduced graph as well and W 2 does or does not have 
arcs in common with the reduced graph. According to our assumption, W 2 is not 
empty. Select, among all paths from toq to 4> with length I, such w* , and W 2 
that length of Wj is maximal, i.e. the path that leaves the reduced subgraph for 
the first time as late as possible. Let m* be the marking satisfying toq fn* 

and consider the stubborn set used at m*. Since is a path from m* leading 
to a marking m satisfying (j), it contains elements of the stubborn set at m* (see 
the preservation theorem for details). Thus, we can split Wj into sequences Uj, 
V 2 , and a transition t* where Wj = v^t*V 2 , v\ does not contain elements of the 
stubborn set used at m* , and t* is an element of the stubborn set used at m* . 

According to the definition of stubborn sets it holds m* mi Since 

. 4 ^ R 

t* is in the stubborn set used at to*, toi appears in the reduced graph. Thus, 
w{t*vlv 2 is a path in the full graph of length I leading from toq to to. to satisfies 
(j). Furthermore this sequence can be split into Wjt* and where the first 
part is completely contained in the reduced part and longer than Wj. This is a 
contradiction to the assumed maximality of length of Wj . □ 

The proof shows that the reduced graph contains at least one permutation 
of every shortest sequence to a marking satisfying the predicate. 



Corollary 2 (Cheapest paths are preserved). Let c : T — > Q“*" be a cost 
function. Define the costs of a sequence as the sum of the costs of the occurring 
transitions. Then our stubborn set approach to the satisfiability of state predicates 
preserves a cheapest path. 
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11 Dead transitions 

Dead transitions are preserved by extended stubborn sets. In our 
approach, stubborn sets in the weak sense can be used. On the other 
hand, extended stubborn sets preserve all dead transitions while our 
approach requires to specify a single transition to be preserved. However, 
this setting might be useful in the context of the fact technique. 

We obtain stubborn sets that are equivalent to those that can be 
obtained with tester processes [12]. However, we present the approach in 
order to show the consistency of our concept for standard properties. 

Definition 10 (Dead transition). A transition is dead (according to a tran- 
sition system) if there is no m such that toq ^ m and t is enabled at m. 

Theorem 6. Use, at every m, a stubborn superset (in the weak sense) of {t} 
(i.e. {t} is the attractor set) and t will be dead according to the reduced graph iff 
it is dead according to the full graph. If t is not dead, a shortest sequence from 
Too to a marking enabling t is preserved. 

The proof is straightforward when the common patterns of the previous 
proofs are used. 

12 Dead markings revisited 

Our approach does not add anything to the dead marking problem. However, 
we obtain a slightly different perspective to the problem. Furthermore we can 
show that our approach is consistent for a large class of properties. 

Definition 11 (Dead marking). A marking is dead iff it is reachable from 
the initial marking and no transition is enabled at it. 

We construct a reduced graph that contains all dead markings of the full 
graph. As usual, we identify a set of transitions that attracts graph generation 
to the desired class of markings. Consider a marking m. If m is not dead then 
there is an enabled transition t at to. Between to and a dead marking some event 
must happen that disables t. Thus, t or a conflicting transition must occur. That 
is, our approach suggests to use stubborn supersets of the attractor set (*t)*. 

In the original approach, we choose an enabled transition and com- 
pute a stubborn superset of it. At the first glance, this seems to yield 
smaller stubborn sets. However, adding the conflicting transitions to an 
enabled transition is usually part of the closure operation. Thus, the 
original method leads to the same stubborn set as ours.^ 

^ Some optimisations basically exploit the non-determinism for the choice of the start- 
ing transition (i.e., they may switch to another starting transition during stubborn 
set calculation), or they improve upon the treatment of transitions with arcs in both 
directions to a place. In principle, these optimisations can be applied to our stubborn 
sets as well. 
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13 Stubborn sets and terminal components 

The component structure of the reachability graph provides valuable information 
about the system behaviour. Several properties, among them liveness, reversibil- 
ity, and home states, can be defined in terms of terminal strongly connected 
components of the reachability graph, at least if the reachability graph is finite. 
In this section, we consider satisfiability of state predicates in terminal compo- 
nents. Thereby we restrict ourselves to bounded (i.e. finite state) systems. Given 
a state predicate we want to preserve the following situations: 

— in all terminal components there is a state satisfying 

— there is a terminal component where all states satisfy 4>] 

These constellations correspond to temporal expressions such as ”it is always 
possible to satisfy (f>” , and ”it is possible to make (f> hold permanently”. These 
situations could be called liveness of (f> and (weak) stability of (j). 

Theorem 7 (Stubborn sets for TSCC based properties). Consider an 
arbitrary state predieate <p and a redueed transition system eonstrueted using 
attraetor sets as defined in Seetion 9, using stubborn sets in the strong sense, 
and avoiding ignored transitions. Then every TSCC of the redueed graph eontains 
a marking satisfying <f iff the full graph does. 

Via contraposition and using the negated state predicate, the theorem covers 
weak stability as well. 

Proof. 

Part 1 

Assumption: Every TSCC of the full graph contains a marking satisfying (j). 
Claim: Every TSCC of the reduced graph contains a marking satisfying (j). 

Let C be a TSCC of the reduced graph and to € C. to is contained some- 
where in the full graph as well. Thus (by basic properties of SCC) some TSCC 
of the full graph can be reached from to and inside this TSCC is a state satis- 
fying (j). Hence, there is a path in the full graph from to leading to a marking 
satisfying (j). Let to* be the first marking satisfying (f> on this path. According to 
the considerations about preservation of state predicates, some path from to to 
TO* is contained in the reduced graph as well. Since C is a terminal SCC of the 
reduced graph, this path cannot leave C. Thus, to* € C. 

Part 2 

Assumption: Every TSCC of the reduced graph contains a marking satisfying (j). 
Claim: Every TSCC of the full graph contains a marking satisfying (j). 

Let C be a TSCC of the full graph. By construction and Proposition 1, there is 
a TO e C contained somewhere in the reduced graph as well. Thus, some TSCC 
of the reduced graph is reachable from to and there a marking to* satisfying (j). 
Since the reduced transition system is a subgraph of the full graph, the same 
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path exists in the full graph. Since the path cannot leave the terminal SCC C, 
m* is contained in C as well. □ 

In this generality, our approach complements previous methods. In 
general, TSCC based properties cannot be expressed in terms of net 
languages or LTL. Basic stubborn sets sometimes cut off all TSCC. Ex- 
tended stubborn sets preserve selected properties, but not arbitrary ones. 

In CTL, all properties can be expressed (via the operators AG and EF) 
but the CTL-preserving method imposes much stronger restrictions to 
the reduced graph. 

14 Liveness, reversibility 

Definition 12 (Liveness, reversibility). Consider an arbitrary finite tran- 
sition system. A transition t is live iff every TSCC of the transition system 
eontains a marking where t is enabled. The transition system is reversible iff 
every TSCC eontains toq (he- there is exaetly one TSCC). 

Due to our restriction to finite state systems, our definition of liveness is 
equivalent to the more popular one: for every reachable state another state is 
reachable where t is enabled. Reversibility can be directly traced back to results 
of the previous section. For liveness, we can either use the enabling condition and 
use results of the previous section, or we can compute a reduced graph without 
ignored transitions using stubborn supersets of attractor set {t}. 

Extended stubborn sets preserve liveness of all transitions. Since our 
method imposes all restrictions of extended stubborn sets, the new ap- 
proach cannot lead to better reduction than extended stubborn sets. 
Thus, we have a case where the existing methods are strictly more pow- 
erful than our one. 

To the author’s best knowledge, a stubborn set approach to reversibil- 
ity has not been reported elsewhere. Among the existing general ap- 
proaches, only CTL can express reversibility, but its stubborn set method 
fails due to the absence of invisible transitions (unless there are transi- 
tions that do not change the marking at all). 



15 Home states 

Definition 13 (Home state). If the reaehability graph of a Petri net has ex- 
aetly one TSCC, then its elements are home states. If the reaehability graph has 
more than one TSCC, the net does not have home states. 

We have to distinguish the existence of home states from the verification 
whether a particular state to is a home state. The second query is equivalent to 
the appearance of to in every TSCC. Thus, the method of section 13 applies. If 
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Fig. 6. Net with home states 




Fig. 7. Reduced graph not exhibiting the home state property 



one is interested in all home states, one can use any single home state m and 
compute the set of all states reachable from m. Thus, it is sufficient to study the 
existence of home states. 

Due to the existential quantification of states, the existence of home 
states cannot be expressed in LTL nor in CTL. Language preserving 
stubborn sets do not help either. As the (reversible) net in figure 6 with 
the reduced graph in figure 7 demonstrates, extended stubborn sets do 
not preserve the existence of homes states as well. Intuitively, the re- 
duced graph with respect to extended stubborn sets does not necessarily 
connect nodes strongly that are strongly connected in the full graph. 

For preserving home states, we propose to compute first the reduced graph 
using extended stubborn sets. Let me be any representative of a SCC C in the re- 
duced graph and consider the set H = {me \ C is TSCC of the reduced graph }. 
By simple properties of SCC, and Proposition 1, this set contains an element of 

every TSCC of the original graph. If there are m\ and m -2 in H where m\ ^ m -2 

R 

then TOi is either member of a non-terminal SCC (in the full graph) or member 
of the same SCC in the full graph as m^. Thus, in this case m\ can be removed 
from H and H does still contain at least one element of every TSCC of the full 
graph. Therefore, we check mutual reachability of the elements in H. For this 
purpose we can use the new stubborn set method for reachability. When the 
removal process terminates with a singleton set, the net has home states and 
the unique element of H is one. If the removal process terminates with more 
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than one element in H, the net does not have home states since the remaining 
elements must be members of different TSCC of the full graph. 



16 Any property missing? 

There is a unique pattern behind all solutions presented in this paper. Identify a 
set of states that you want to preserve. Then, find a set of transitions A{m) (de- 
pending or not depending on the current state to) such that every path starting 
from the current marking and leading to a marking to be preserved contains at 
least one transition in A{m). If you want to preserve the plain occurrence of de- 
sired states, use basic stubborn sets (in the weak sense). If you want to preserve 
the occurrence of desired states in terminal SCC, use extended stubborn sets. 

It is likely that several other properties than those presented in this paper 
can be preserved this way. So one could ask whether results of this paper can be 
generalised to one of the popular temporal logics. Since in this paper we always 
deal with preserving certain states rather than paths, the logic CTL is a better 
candidate for such a generalisation than LTL. Moreover, our method depends on 
situations where there is a difference between the current state and the desired 
states (which needs to be bridged by the attractor transitions). Therefore, it 
turned out that we can provide a new methodology to preserve CTL features like 
EF (’’there is a state in the future where...”) while we cannot replace the current 
approach for features like EG (’’there is a path where all states satisfy...”). In 
the latter case, the current state cannot be distinguished from the ’’good” future 
states, so we cannot define any reasonable attractor set. However, details about 
a modified CTL model checking approach are subject of a forthcoming paper. 



17 Conclusion 

The major difference between many earlier (general) methodologies of stubborn 
set application and our approach is the meaning of preservation. The language 
preserving [10] as well as the LTL preserving approach [11,12,6,3] preserve 
paths. The CTL approach additionally preserves important parts of the branch- 
ing behaviour between paths. All these methods try to ’’hide” the reduction by 
restricting it to the invisible part of the system behaviour. We preserve states. 
We try to approach these states directly without caring about visibility. 

Thus, our approach complements the existing stubborn set toolkit. It is 
closely related to the tester concept [12], but treats visibility in a different way. 
We were able to find suitable stubborn sets for a large set of standard proper- 
ties. Especially for global properties (i.e. when invisible transitions are absent), 
our approach still keeps the opportunity of significant reduction. If only few 
transitions are visible, the language preserving method has more room to work. 

As a remarkable new feature, we constantly preserve shortest as well as cheap- 
est witness or counterexample paths for reachability, satisfiability, invariance. 
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and dead transition problems (i.e. properties that can be defined as plain exis- 
tence of certain states). This makes stubborn set based reduction applicable to 
some quantitative analysis queries such as scheduling problems. 
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Abstract. CORBA is a standard proposed by the Object Management Group 
(OMG) in order to promote interoperability between distributed object systems. 
CORBA provides a programming-language neutral Interface Definition 
Language (IDE) that describes the syntactic aspects of services supported by 
remote objects. However, CORBA IDE does not provide any means to specify 
the behaviour of objects in an abstract and formal way. Behaviour specification 
is provided either in plain English, or directly in the programming language 
chosen for the implementation. We propose the use of Cooperative Objects, a 
dialect of object-structured high-level Petri nets, as formalism for behavioural 
specification of CORBA systems. We detail at the syntactic and semantic level 
how this formalism supports the features of the CORBA object model. We 
present a realistic case study to demonstrate our approach. 



Keywords: Distributed systems, CORBA, behavioural specification, high-level 
Petri nets. 



1 Introduction 

CORBA [16], [21] (Common Object Request Broker Architecture) is a standard 
proposed by the Object Management Group (OMG) in order to promote 
interoperability between distributed object systems. The appearance of an industrial 
standard is an indication that the field of object-oriented distributed computing has 
moved, in the past few years, from experimental research projects to mainstream 
commercial products. 

CORBA proposes an Interface Definition Language (IDL), independent from any 
programming language (although closely patterned after C-H-) and object-oriented, 
supporting specialisation of interfaces through inheritance. A CORBA-IDL interface 
specifies at a syntactic level the services that a client object can request from a server 
object that implements this interface. The interface details the services supported and 
their signature: a list of parameters with their IDL type and parameter-passing mode, 
the IDL type of the return value, the exceptions that may possibly be raised during the 
processing of the service. 
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interface Example { 

exception reject; 
integer opl (in string a) ; 
void op2 (inout float b, out 
raises (reject) ; 



} 



integer 



c 



) 



Fig. 1. An example of CORBA IDL 



Fig. 1 illustrates the definition of an interface in CORBA IDL. This text defines 
one interface {Example) supporting two services {opl and op2). The figure also 
illustrates the syntax for the various parameter-passing modes {in, out or inout) and of 
the exceptions. The keyword exception defines an exception type, while the keyword 
raises specifies what types of exceptions may be raised by a service. 



A recognised limitation of CORBA is that it defines remote object classes in terms of 
their interface only. CORBA IDL covers only the syntactic aspects of the possible use 
of a remote object and does not cover any semantic or behavioural description, while 
this information is obviously of prime importance for the clients. By behavioural 
aspect, we mean: 

• The constraints on the order of invocation of the services described in the 
interface. 

• The concurrency constraints of the remote object: is it able to support concurrent 
access to its services, or does it enforce a serialisation on the concurrent invocations? 

• The conditions under which an exception might be raised during the processing 
of a service. 



What CORBA lacks is an abstract way to specify the semantics of an IDL interface 
without constraining its implementation, much in the same way that an Abstract Data 
Type [8] (ADT) specification can be used for specifying the semantics of a sequential 
data type. 

The present paper aims at providing a suitable solution to the problem of 
behavioural specification of distributed objects, in the context of CORBA. The paper 
is organised as follows: We first detail the requirements for a behavioural 
specification formalism suited to CORBA. We then present how the Cooperative 
Objects formalism needs to be adapted in order to support fully the CORBA model. 
Section 3 presents a significant case study of specification using our approach. 
Section 4 explains how the formalism can be used to enable rapid prototyping of 
distributed systems. 
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2 Behavioural Specification of CORBA Systems 

Our goal is provide a notation suited to the behavioural specification of CORBA 
systems: we want to be able to describe the behaviour of a collection of interacting 
objects, and not merely the behaviour of a single object in isolation. A formal notation 
aimed at serving this goal has to comply with several requirements: 

• Cope with data-flow as well as with control flow. The formalism needs to be able 
to deal with typed values, and not only with pure causal relationships. It will often be 
the case that the behaviour of a CORBA system depends not only on the previous 
history of invocations between objects, but also on the values exchanged during 
previous invocations. For a given state of an object, an invocation may succeed or fail 
according to the values of parameters of the invocation. This obligation to deal with 
data-flow as well as control-flow rules out the use of “basic” Petri nets as a potential 
formalism, since we need coloured tokens to model the data exchanged between 
objects. 

• Cope with the dynamicity of object references: A behavioural specification 
formalism for CORBA has to support its fundamental object model, and more 
precisely to allow remote objects to be designated by references, and these references 
to be transmitted as invocation parameters. Several object-oriented Petri net 
formalisms [23], [13], aimed at providing a solid theoretical basis to concurrent 
object-oriented computation, refrain from using references, and prefer considering 
tokens as objects, and not references to objects. Such formalism prevent a same object 
to be referenced by different tokens in different places, and thus would make the 
specification of a reference-based system such as CORBA less straightforward. The 
work of [15], which aims at providing Petri-net-based semantics to agent-based 
systems, deals directly with the dynamics of object references. 

• Allow specifying internal concurrency for objects. This point is especially 
important for CORBA since a CORBA server object will often be a “large grained” 
entity shared by a lot of clients, providing services whose processing will take some 
time. It is therefore unrealistic to enforce each service to be atomic, so that at most 
one service will be active at any time at the server. Actually, all of current CORBA 
ORBs allow for “multi-threaded” server implementations, where a server object can 
serve several services at the same time. Some attempts have been made to extend the 
theory of Abstract Data Types in order to specify the behaviour of concurrent objects 
[14]. Most of these approaches consider an object as a monitor, allowing only one 
service to be active at a time, thus cannot be extended to the modelling of distributed 
CORBA servers with internal concurrency. 

• Serve the needs of the implementers of the server class, as well as those of the 
designers of systems that will be clients for this server. On the one hand, the 
behavioural specification must be complete and precise enough that the programmer 
implementing the server in some programming language knows in a precise and non- 
ambiguous way what behaviour to implement; the specification must be abstract 
enough not to constraint the implementation choices of the programmer. On the other 
hand, the potential clients of the class will use the specification to gain a non- 
ambiguous understanding of the semantics of each service. 
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The behavioural specification of object systems is a field of research per se [11]. 
Among the various formalisms proposed, StateCharts [9] comply with the above 
requirements, and is actually the behavioural formalism for the popular Unified 
Modelling Language (UML) notation [18], [19]. Several attempts have been made to 
use process algebraic techniques in this domain, notably the work of [7], which 
provides an algebraic semantics to the various invocation modes of CORBA. 

We propose the use of high-level Petri nets as the behavioural specification 
medium for CORBA systems. The usefulness of combining Petri nets and objects has 
been recognised by several authors, as witnessed by the workshops held at previous 
editions of the ATPN conference [1], [2]. More particularly, we use an object-oriented 
dialect of high-level Petri nets called Cooperative Objects. This formalism complies 
with the requirement listed above, and its Petri net roots provide is with a powerful 
basis for modelling and analysing concurrent behaviours. 



2.1 The Cooperative Objeet Formalism 

Cooperative Objects [5] (CO) are a dialect of object-structured, high-level Petri nets. 
Their lengthy formal definition has been provided in previous publications [3], [20], 
and we will only recall informally their main features, through examples. CO can be 
considered as a dialect of coloured Petri nets [10], of which they differ mainly by their 
object-oriented features and by the different arc inscriptions. 

A CO class specifies a class of objects by providing their interface (the set of 
services offered, along with their signature) and their dynamic behaviour. The 
behaviour of a CO class is called its Object Control Structure (ObCS), and is defined 
with a dialect of high-level Petri nets. More specifically: 

• Tokens are tuples of typed values. The arity of a token is the number of values it 
holds, and tokens of zero-arity are thus the “basic” tokens used in conventional Petri 
nets. We will call Token-type a tuple of types, describing the individual types of the 
values held by a token. Token-types will be noted <Typei , ... Typen> or just <> to 
denote the Token-type of zero-arity tokens. 

• Places are defined to hold tokens of a certain Token-type; thus all tokens stored in 
one place have the same Token-type and arity. A place holds a multiset of tokens; 
thus a given token may be present several times in the same place. 

• Each arc is inscribed by a tuple of variables, with a given multiplicity. The arity 
of an arc is the number of variables associated to it. The arity of an arc is necessarily 
the same as the arity of the Token-type of the place it is connected to, and the type of 
each variable is deduced from this Token-type. The multiplicity of an arc is the 
number of identical tokens that will be processed by the firing of a transition 
associated to this arc. The general form of an arc inscription is 
multiplicity*<vl , ... vn>. A multiplicity of 1 can be omitted (thus 
l*<vl , ... vn> can be abbreviated as <vl , ... vn> ) and an empty list of variables 
can also be omitted (thus 2 * <> can be abbreviated as 2). 

• Transitions have a precondition (a Boolean expression of their input variables) 
and an action, which may use any service allowed for the types of their input or output 
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variables. The scope and type of each variable of an arc is local to the transition the 
arc connects to. 

A transition is enabled when: 

• A substitution of its input variables to values stored in the tokens of its input 
places can be found 

• The multiplicity of each substituted token in the input places is superior or equal 
to the multiplicity of the input arc, 

• The precondition of the transition evaluates to true for the substitution. 

The firing of a transition will execute the transition’s action, compute new tokens 
and store them in the output places of the transition. The formalism also supports two 
arc extensions [12]: test arcs and generalised inhibitor arcs. 



place pi <string, integer> = 

{ 3*<"hello" , 1>, 2*<"hello" , 2>, <"bye",3> }; 
place p2 <integer> = { <1>, <3> } ; 
place p3 <integer> = { <0>, <3>, <4> }; 

place p4 <integer> = { } ; 

transition T1 { 

precondition { true } ; 
action { } ; 

} 

transition T2 { 

precondition { b > 0 } ; 
action { c = b+1; } 

2*<a,b> <b> <b> <b> 




Fig. 2. Excerpt of a CO class 

Fig. 2 shows an excerpt of a CO net, along with the textual notation used to 
describe the Token-types of the places, their initial marking and the transition’s 
precondition and action. 

The arc between p2 and Ti is a test arc, and the arc between p2 and T2 is a 
generalised inhibitor arc. The T1 transition is only enabled by the following 
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substitutions: {a => “hello”, b => 1 }. It is not enabled by {a => “hello”, b => 2} since 
no substitution with b = 2 can be found in place p2. It is not enabled by {a => “bye”, 
b => 3} since the token <”bye”, 3> has insufficient multiplicity in place pi. 

Likewise, T2 is only enabled by { b => 4 }. The inhibitor arc between p2 and T2 
prevents the substitution { b => 3 }, while the precondition of T2 prevents the 
substitution { b => 0 } . 

From the initial marking described in Fig. 2, the occurrence of Ti would result in a 
marking of { l*<”hello”,l>, 2*<”hello”,2>, <”bye”,3> } in pi, and of { <1> } in p4, 
the markings of p2 and p3 remaining unchanged. From the same initial marking, the 
occurrence of T2 would result in a marking of { <0>, <3> } in p3 and of { <5> } in 
p4, the marking of pi and p2 remaining unchanged. 



2.2 Integrating CORBA IDL and Cooperative Objeets 

Cooperative Objects were initially defined independently of CORBA [3], but CO and 
CORBA happen to share the same object model, as described in §1. CO and CORBA 
complement each other nicely: The initial description of CO used an idiosyncratic 
language to describe interfaces, while CORBA provides an attractive, language 
neutral IDL. On the other hand, CO can be used to provide the behavioural 
information lacking in CORBA-IDL. 

This section presents the necessary syntactic adaptation that CO require to match 
more closely CORBA-IDL, and some additions to the formalism supporting CORBA- 
specific constructs such as exceptions and parameter-passing modes. 

CORBA-IDL will be used as the data description language used by Cooperative 
Objects. Cooperative Objects will use IDL to describe: 

• The system of data types used by the ObCS nets of Cooperative Objects. The 
Token-type of the places will thus be described in terms of CORBA IDL, and the 
variables on the arc will be of an IDL-defined type. 

• The interface of a Cooperative Object class itself. 

To achieve the integration of Cooperative Objects and CORBA IDL, we need to 
define a mapping from the constructs of CORBA IDL to those of Cooperative 
Objects, much in the same way that CORBA defines mappings from IDL to 
conventional programming languages such as C-H-, Smalltalk or Java. 

We now illustrate the CO-CORBA integration by showing how a CO class can add 
to the interface of Fig. 1 the behavioural aspects that are needed to complete its 
definition. 

Fig. 3 shows a CO class definition, corresponding to the CORBA-IDL of Fig. 1 . 
Part of this class definition is directly deduced from the interface, while the other part 
corresponds to the behavioural specification added by the designer. The parts added 
are greyed out for clarity. 
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class ExampleSpec specifies Example { 
place opl <string>; 
place opl < integer >; 
place op2 <float>; 
place op2 < float, integer>; 
place ©pS <Exception>; 
place pi <string>; 
place p2 < integer >; 
transition T1 { 
action { 

string x = a . toString ( ) ; 
integer y = a; 

} 

} 

transition T2 { 

precondition { b < 0 . 0 ; } 

} 

transition T3 { 

precondition { b >= 0 . 0 ; } 

} 

// Several place and transition definitions omitted 




Fig. 3. A CO specification of the Example interface 
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2.2.1 IDL interfaces and CO Classes 

A CO class may specify one or several IDL interfaces. This is convenient since, 
very often, several interfaces are given for the same entity to allow providing different 
views of the same object, tailored for the needs of different clients. The CO class of 
Fig. 3 specifies only one interface, namely Example. The keyword specifies is 
followed by the list of CORBA-IDL interfaces specified by the CO class. 



2.2.2 Mapping for Services 

Each service op defined in an IDL interface is mapped to two or three places in the 
ObCS net: a Service Input Port (SIP, labelled op), a Service Output Port (SOP, 
labelled op) and a Service Exception port (SEP, labelled op), only present if the 
service may raise an exception. These three places are derived from the IDL, as 
follows: 

• The Token-type of the SIP is the concatenation of the IDL types of all in and 
inout parameters of the service; 

• The Token-type of the SOP is the concatenation of: 

• the IDL type of the result returned by the service (if any), 

• the list of the IDL types of all out and inout parameters of the service. 

• The Token-type of the SEP is <Exception>, where Exception is the super-type 
of all IDL exception types. The SEP is only used if the service raises an exception. 

According to the IDL of Pig. 1, the service opl is mapped onto two places: op I for the 
SIP and opl for the SOP; opl has no SEP. Service op2 is mapped onto three places, 
op2, op2, ep2. Their Token-types are as follows opl : <string>, 

opl : <integer>, op2 : <float>, op2 : <float, integer>. As service op2 
raises the reject exception, a SEP op2 is added, with Token-type <Exception>. 

The invocation of one service op results in one token holding all in and inout 
parameters being deposited in its SIP. The role of the ObCS net is to process this 
parameter token in some way, and eventually deposit a result token (holding the result 
of the service, plus all out or inout parameters) in the SOP, thus completing the 
processing of the invocation. An invocation that raises an exception at some point will 
instead result in an exception token being deposited in the SEP. 

In order for the invocation to proceed in a sound way, the ObCS structure must 
respect a set of constraints. Informally, an object will provide either a result or an 
exception for each invocation, and will only provide results if it has been previously 
invoked. With respect to the ObCS, the arrival of one token in the SIP will eventually 
result later on in exactly one token being deposited either in the SOP or in the SEP. 

The necessary and sufficient structural constraints on the ObCS net are as follows: 

• Constraint 1: The SIP can only have output arcs in the ObCS net; 

• Constraint 2: The SOP can only have input arcs; 

• Constraint 3: The SEP can only have input arcs, these arcs coming from specific 

exception transitions (see 2.2.5). 
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The ObCS models an “open” server, where the environment (clients) can deposit 
tokens in SIP and take tokens from SOP or SEP. As we are only considering the 
server-side, we need to “close” the server system by modifying its ObCS, if we want 
to investigate its behaviour in isolation. 

For each service op, two closing transitions Top and Top are added, and connected to 
the ObCS in the following way: Pre(Top) = {op}, Post(Top) = (opj, Pre(Top) = (op), 
Post(Top) = (opj. We define the Operation Control Structure (OpCS) of a service as 
the set of minimal P-Invariants [6] where SIP, SOP and SEP appear together. Note 
that the added transitions exist only for computing the P-Invariants, and are not 
actually part of the ObCS. The P-Invariants are calculated on the ObCS’s underlying 
net, i.e. a net where variables are removed from the arcs and token-types are ignored. 

• Constraint 4: An OpCS has a correct structure if it is not empty (at least one P- 
Invariant must exist in the ObCS where the Input, Output and Exception port 
appear together). 

With respect to the ObCS presented in Fig. 3, the OpCS of opl consists of the 
places {opl, pi, p2, p6, p7, opl {, since the minimal P-in variants where opl and opl 
appear together are {opl, pi, p6, opl } and {opl, p2, p7, opl}. Likewise, the OpCS of 
service op2 is {op2,p5, op2 , op2{. 



2.2.3 Mapping for Parameter-Passing Modes 

The semantics for the three parameter-passing modes of CORBA IDE is clear. 

• in parameters are values provided by the caller, that the service may use at its 
own will; 

• out parameters are values computed by the service, and returned to the caller; 

• inout parameters are values transformed by the service, i.e. provided by the caller 
and returned to it after being processed. 

Constraint 5: Only inout parameters require a special treatment in the OpCS 
structure: in order to ensure that any inout parameter is properly transmitted from the 
Service Input Port to the Service Output Port, a sufficient condition is to check that 
the parameter name appears on every arc connected to each place of the OpCS. 

This is the case for service op2 in Fig. 3, as the inout parameter b is transmitted 
along the P-In variant {op2,p5, op2 , op2{. 



2.2.4 Semantics of Invocations in Transitions 

We want to be able to model CORBA systems, and not only isolated CORBA 
servers. Actually, the behaviour of one class in isolation will often be of little interest, 
and will only become meaningful when we can describe how an instance of the class 
may interact with other instances of other classes in the system. 

CORBA objects interact with one another by invoking services defined by the IDL 
interfaces they support. The Cooperative Object formalism supports this form of 
cooperation by allowing the action of a transition to be the invocation of a service. 
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The operational semantics of such an invocation transition is a client / server protocol 
that can be formally defined in terms of Petri nets. 



place PA <string>; 
place PB <Exaitple>; 

place PC <string, Exaiiple , integer >; 
transition Tinv { 

action { r = s.opl(p);} 

} 




<p> <S> 

L. 



r = s.opl ( p ); 



<p,s, r> 




Fig. 4. An example of invocation transition 



The client server protocol we use has been first presented in [17] for basic Petri 
nets, extended to object-oriented high-level Petri nets in [3], and is presented with its 
full theoretical details in [20]; The fact that not only the internal behaviour of objects, 
but also their communication protocol is defined in terms of Petri nets enables us to 
reason about systems of cooperating objects, and not only on isolated instances. 

The client-server protocol provides semantics for invocation transitions such as the 
one illustrated in Fig. 4. An invocation transition is a transition whose action is the 
call of a service supported by one of its input parameters. In the example above, 
variable s is of type Example, and the Example interface supports the service opL 

The semantics of an invocation transition is illustrated in Fig. 5. This semantics 
requires adaptation of the ObCS on the client side, and on the server side. 

On the client’s side the adaptation is as follows: 

• The invocation transition is considered as a macro-transition extending from the 
request transition to the complete transition. The request transition constructs a 
parameter token, including the original parameters of the service and a globally 
unique call-identifier. The call-identifier is of type CalllD. This token is deposited in 
the Invocation Parameter port. 

• A waiting place is introduced between the request transition and the complete 
transition. The presence of a token in this place indicates that a call is in progress. 

• The results from the service call will be returned to the client in its Invocation 
Result Port. The arrival of a return token will enable the complete transition, and 
terminate the service call on the client’s side. It is important to note that the variable 
id is present on both input arcs of the complete transition: the transition is only 
enabled if a substitution is possible between the token values held in the Waiting and 
Result Port places, meaning that the same id is found in both tokens. This construct is 
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necessary to allow a client to issue concurrently several invocations, and to enable the 
client to match the results it receives with the parameters it has initially provided. 



0 0 
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■Transition 



-D 



-<p, id>- 
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I Parameter port 
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input pxDrt for object 5 
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-a 
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result port for client object 



<p, id> 



OpCSfor 

opl 



<r, id> 



Complete 

Transition 



(b) server's side 



Fig. 5. Semantics of invocation transitions 

On the server’s side the adaptation is as follows: 

The structure of the net is not altered, but only the definition of the places’ type and 
the inscriptions on the arcs. The only requirement for the server is to transmit the call- 
id within the service subnet, so that the results of the service can be properly routed 
back to the caller. This is done by appending the type CalllD to each place of the 
service OpCS, and correspondingly adding a variable on the arcs. 



2.2.5 Mapping for Exceptions 

CORBA IDL allows specifying exceptions that may be raised during the 
processing of an invocation. An exception is an object of a specific data-type, and can 
hold information on the causes of its occurrence or other useful data. 

When an exception is raised, the normal processing of the service is cancelled, the 
result, out and inout parameters of the service are undefined, an exception object is 
instantiated and only this object is transmitted to the client of the invocation. 

In order to specify properly the behaviour of a CORBA system, our formalism 
needs to address two concerns: 
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• Define under which conditions an exception may be raised during the processing 
of an invocation, and what corrective actions are eventually needed in the server 
object to restore a consistent state. 

• Define what action a client object needs to take if a service invocation results in 
an exception instead of providing the expected result. 



The first point is tackled by exception transitions: 

Constraint 6; exception transitions are labelled by the name of the exception data- 
type that is raised. They can have input and output arcs from any place of the OpCS of 
one service, but necessarily have exactly one output arc connected to the SEP of this 
service. The occurrence of an exception transition models the fact that an exceptional 
condition has occurred during the processing of an invocation, and that this processing 
cannot be carried any further. 
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Fig. 6. Invocation transition with exception handling 

The T2 transition in Fig. 3 is an exception transition. It models the fact that the b 
parameter of the op2 service needs to respect some constraints in order to be properly 
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processed by the service. In the figure, the T2 and T3 transitions are in structural 
conflict, but this conflict is solved deterministically since the preconditions of these 
two transitions are mutually exclusive. 

The second point is tackled hy: 

• a simple syntactic extension of the graphic syntax of invocation transitions 
(called emission rules), 

• a straightforward extension of the client-server protocol described in §2.2.4, 
acknowledging the fact that an invocation can have two different outcomes: a normal 
outcome, providing the expected results, or an exception outcome, providing no result 
other than the exception raised hy the server. 

Fig. 6 illustrates the graphic syntax of an invocation transition with exception 
handling (left side) and the associated semantics expressed as a macro-transition (right 
side). An invocation transition may feature an exception outcome (labelled Exception) 
and a normal outcome (labelled else). An outgoing arc can only be connected to one 
outcome. Arcs connected to the exception outcome are labelled by the input variables 
of the transition, plus a variable to denote the exception object received; they cannot 
refer to the result of the invocation neither to out or inout parameters. 



3 A Case Study in CORBA Behavioural Specification 



module Banking { 
exception noSuchAccount ; 
exception nameAlreadyExists ; 
exception insuf f icientFunds ; 
exception account I sClosed; 
interface Bank { 

Account newAccount (in string name, 
in float initialAmount ) 
raises (nameAlreadyExists) ; 

Account f indAccount (in string name ) 
raises (noSuchAccount ) ; 
void closeAccount (in Account account) 
raises (noSuchAccount ) ; 

} 

interface Account { 

void transfer ( in float amount ) 

raises (accountlsClosed, insuf f icientFunds) ; 
float balance ( ) ; 

} 

interface BankAccount : Account { 
void open ( ) ; 
void close ( ) ; 

} 

J 

Fig. 7. The IDL text for the banking system 
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To illustrate our modelling approach, we now detail an example dealing with the 
banking business. This example is typical of the intended use of the CORBA 
technology (although much shorter than real-life examples) and is in fact used as a 
tutorial example for several commercial ORBs. Despite its small size, it illustrates all 
the main aspects of our technique, including exceptions, interface inheritance and 
realistic behavioural specification featuring intra-object concurrency. 

The banking system is composed of two different kinds of entities: bank accounts, 
which keep a (positive or null) amount of money, and banks, which keep a set of bank 
accounts. This system is first described in terms of CORBA IDL. Cooperative Object 
class specifications are then provided, to specify the behaviour of the system. 

Fig. 7 shows the interface of the banking system, expressed in CORBA IDL. This 
IDL first defines data types for the exceptions that might be thrown during processing 
(noSuchAccount, nameAlreaclyExists, insufficientFunds, accountlsClosed), and 
defines three interfaces: 

• Bank, which the customers will use to create, close, and access their accounts. A 
bank is merely a repository for bank accounts, and allows associating an Account 
reference to a human-readable name. The service finclAccount allows retrieving an 
Account reference for which only the name is known; 

• Account, offering a service to obtain the current balance (balance) and a single 
service to credit or debit the account (transfer). 

• BankAccount, which will be used internally by the bank to perform open and 
close operations on accounts. BankAccount is a specialisation of the Account 
interface, meaning that is offers all the services of Account, in addition to the new 
ones it introduces (open and close). 

The provision for two different interfaces (Account and BankAccount) to describe 
the same concept of account enables to describe different access rights (or different 
views) of the same object, tailored for the needs of different clients. The signature of 
the services provided by the Bank interface only deal With Account references, which 
means that clients of a Bank object will only receive references of this type, and thus 
will be able to access only the services defined \n Account. 

Obviously a lot more needs to be said, in addition to these interfaces, to have a 
complete specification of the banking system. The behavioural specification of the 
banking system is provided below, in terms of two Cooperative Object classes, 
BankSpec and BankAccountSpec. 

Fig. 8 illustrates both the graphic syntax of a Cooperative Object class and the 
textual annotations that are necessary to complete its description. These textual 
annotations are: 

• The list of the interfaces that the CO class specifies (keyword specifies). In this 
case, the BankSpec class specifies the Bank interface. 
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Fig. 8. Cooperative Object class specif3dng the Bank interface 
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• The description of the places’ type: for instance, Hhe, Accounts place holds tuples 
of the form <string, BankAccount>, i.e. the name of a bank account, and the 
associated reference to a BankAccount object. The type for the input and output ports 
needs not be stated, since it is deduced from the signature of the associated service. 
For example, the type of the newAccount input port is < string, float >, and the 
type of its output port is <Account>. 

• The description of the transitions’ preconditions and actions: Empty actions 
default to no action, and empty preconditions default to true. Only the transitions with 
non-default precondition or action need to be stated in the textual part. 




The BankSpec class describes a sensible behaviour for the bank entity. For 
example, it states that an Account reference can be retrieved (through the finclAccount 
service) only after an account with the same name has been created (through the 
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newAccount service) and before it has been closed (through the closeAccount service). 
It also specifies under which conditions exception might be raised (for instance a 
nameAlreaclyExists exception is raised when the newAccount service is called with a 
name parameter that matches a previously registered name). Such behavioural 
constraints could have been modelled just as well using a conventional ADT-based 
specification, using logical pre and post-conditions for the services. However, the 
description of more subtle behaviours requires a formalism expressive enough to 
encompass concurrency and synchronisation constraints. 

In this respect, the Operation Control Structure (OpCS) of the newAccount service 
is especially noticeable: unlike the other two services (fmdAccount and closeAccount), 
it is not made of a single atomic transition, but of a subnet encompassing the 
createAccount and open transitions. This feature allows for internal concurrency 
within a BankSpec object: While an invocation of newAccount is being processed (i.e. 
when the newAccount place holds one token), other incoming invocations of 
fmdAccount or closeAccount can be serviced (if the marking of the Account place 
permits it). Moreover, several invocations of newAccount can be serviced 
concurrently (this will result in the newAccount place holding several tokens). Finally, 
when the service invocation returns (by setting the reference to the newly created 
BankAccountSpec object in the newAccount return port), the BankSpec object 
continues an internal processing, namely to initialise the BankAccountSpec object 
with its initial balance (transition initialDeposit). This faithfully models the way 
actual banks proceed in the creation of new customer accounts: If one, as a customer, 
goes to a bank to create an account with an initial deposit, the account will be created 
immediately, but it will take some time before the account is actually credited with the 
initial deposit. If the account’s balance is accessed in the meantime, it will be zero. 
The BankSpec also takes care that an account is not closed before the initial deposit is 
performed (inhibitor arc between openAccount and close). 

The behavioural specification of bank accounts is shown in Fig. 9. This CO class 
specifies the BankAccount interface and implicitly the Account interface since the two 
are related through inheritance. Several new syntactic constructs are illustrated in this 
class: Places can be provided with an initial marking, stating their content right after 
an instance of this class is created. In this case, an account is created in the closed 
state, with an initial balance of 0, as stated by the definition of the closed place. The 
transferFunds and T5 transitions are in structural conflict. This conflict is 
deterministically solved by the preconditions of these two transitions, which are 
mutually exclusive. Thus, the InsufficientFunds exception is raised when the current 
balance is lower than the amount that one tries to withdraw. 

Note that (for the sake of brevity), the specification detailed in the BankSpec and 
BankAccountSpec classes offers no provision for reopening a closed account. This 
could be achieved, for instance, by providing a subclass of BankSpec with additional 
services to transfer the balance from a closed account to a newly created account. 
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4 Prototyping CORBA Systems 

A well-known advantage of Petri nets is their executability. This is highly beneficial 
to our approach, since as soon as a behavioural specification is provided in terms of 
CO classes, this specification can be interpreted to provide additional insights on the 
possible evolutions of the system. 

Our approach is supported by a tool called PetShop[22], which includes a distributed 
implementation of the HLPN interpreter described in [4], rewritten in Java. The 
implementation is such that: 1) An interpreted ObCS can invoke (from an invocation 
transition) a service of a “third party” CORBA server running outside of the 
environment; 2) Conversely, an external CORBA client can call a service of a 
Cooperative Object, regardless of the fact that this service invocation will be 
performed by interpretation of the CO ObCS. This offers complete interoperability 
between the CORBA world and our formalism, and enables us to work in realistic 
settings, where we possess the complete behavioural specification of some objects 
only, but where we can nonetheless access objects provided by other sources, of 
which we know only the CORBA IDL. 



5 Conclusion and Future Work 

The approach presented here is motivated by the momentum gained by CORBA as a 
standard for distributed object systems, and by the evidence that some form of 
abstract behavioural modelling supporting the CORBA object model can be of great 
help in the development life-cycle of such systems. 

The main rationale for the use of Petri nets in our approach is their expressiveness 
in describing complex behaviours, including concurrency and synchronisation. Our 
belief is that high-level Petri nets are a very efficient behavioural specification 
language in the context of CORBA, providing an concise, accurate and formal 
description of the allowed behaviour of objects. Such a description is highly beneficial 
both to the developers of CORBA servers (which then have a complete and non- 
ambiguous description of the behaviour they need to implement) and to the 
programmers of systems that use these servers (for whom the Petri nets serves as the 
“operating instructions” of the server). 

Another well-known advantage of Petri nets is their potential for formal analysis. 
Our approach has a strong operational bias: we accept to trade full analysis 
possibilities in favour of modelling power. However, we do not give up the potential 
for analysis of Petri nets altogether. Currently, our tool includes the usual Petri net 
analysis algorithms (such as P and T-Invariants, liveness, boundedness, siphons and 
traps) that operate on the ObCS underlying net, i.e. the ObCS where all variables and 
data types are removed. We are currently in the process of assessing which of the 
analysis result for basic Petri net are preserved in the high-level ObCS. Our initial 
studies appear to demonstrate that analysis of the underlying net provides very useful 
results for the ObCS: for instance, if the underlying net is bounded, then the high- 
level net is bounded. If the underlying net is unbounded, we have no indication on the 
boundedness of the ObCS itself, since the boundedness of the high-level net may 
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result from arc inscriptions or preconditions that are lost in the underlying net. 
Conversely, if the underlying net is not live, then neither is the ObCS (the reverse 
implication does not hold). Such properties, although they do not provide definitive 
answers on the behaviour of the object, are nonetheless of great help to the designer 
when she is constructing the ObCS. We are also investigating analysis techniques 
especially devised for high-level nets: 

• Analysis of object-oriented features: we wish to use Petri net analysis techniques 
not only to prove properties on an isolated object, but also to analyse constructs 
specific to object-oriented systems. For example, when two IDL interfaces are related 
through inheritance, some form of behavioural inheritance needs to be respected for 
CO classes that specify these interfaces. The work presented in [24] is a useful 
starting point for us, the most relevant notion in the context of CORBA appearing to 
be the one based on the hiding of new methods introduced in subclasses. We also 
want to analyse the cooperation between several CO instances, to check properties of 
a system of interacting objects. This is possible since the client-server protocol of 
§2.2.4 is described in terms of Petri nets, which enables generating a single static Petri 
net from the ObCS of classes in a system [3], [20]. This global net can be used to 
prove properties of the system as a whole. 

• Test generation: Another ongoing research is the ability to generate test suites 
from the Cooperative Object class definition. The tool supporting our approach can 
generate prototypes that are “almost functional” implementations of CORBA-IDL 
interfaces. They are “almost functional” in the sense that only behavioural 
requirements are dealt with. Other “quality-of-service” requirements, such as 
performance, persistence, replication or fault-tolerance, have to be taken care of in a 
fully functional implementation. The idea is that the CO class can serve as the formal 
specification of the class, and that programmers will implement the specification in 
some programming language, implementing the other quality-of-service requirements. 
This implementation needs to be tested for conformance against the original CO- 
based specification and the CO specification can be used to generate a test suite for 
the implementation. 
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Abstract. In order to widen the applicability of Coloured Petri Nets 
for the specification and design of large scale distributed applications, 
a framework has been developed that supports the interaction of De- 
sign/CPN and Java processes. The underlying architecture can be used 
for other tools. Thereby a seamless embedding of the two worlds of Petri 
nets and object-oriented programming is achieved, allowing problem ori- 
ented modelling at different abstraction levels in a fnlly distributed envi- 
ronment. The general possibilities to connect Coloured Petri Net simula- 
tions with remote processes are discussed and a specific implementation 
of the required framework is sketched. Promising application areas are 
named and for some of them concrete example models are provided. 
Keywords: Coloured Petri Nets, Design/CPN, Distributed Simulation, 
Framework, Java, Prototyping, Computer Tools, Workflow 



1 Introduction 

The specification of systems, its evaluation, and its transfer to implementation 
is still a major task for computer science. One very promising technique in the 
area of specification, especially when concurrent and distributed systems are 
involved, are Coloured Petri Nets (see Q). Because a strong interconnection of 
specification and implementation is very useful when developing a system, it is 
desirable to bring together the worlds of Coloured Petri Nets and some popular 
programming language. 

In the area of implementation Java (see Q) aroused special interest for build- 
ing applications for the Internet, as it is an object-oriented, reasonably portable 
programming language that supports additional features such as high-level net- 
working and easy multi-thread programming. 

As a specification tool based on Petri nets, we chose Design/CPN (see B 
and B), because it is flexible and powerful and comes with a specially adapted 
graphical editor. Design/CPN supports the development of large systems by 
means of hierarchical models. Furthermore, an internal programming language, 
namely ML, can be used to extend the tool for our needs. 

In the environment proposed here (for the original version of this paper see 
B), Java should be used for the implementation of graphical user interfaces, 
database connectivity, and other applications for which one can fall back upon 
reusable implementations, while Design/CPN serves as the graphical specification 
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tool that is powerful in designing and executing models of concurrent, distributed 
systems. 

But there are more reasons why an interaction of Design/CPN and Java has 
been expected and indeed turned out to be fruitful, namely to overcome some 
limitations of Design/CPN: The tool is designed for single-user mode only, but 
especially large-scale projects are dependent on teamwork. Although there is 
a flexible hierarchy concept, Design/CPN does not really support component 
re-use, as the exchange of parts between different models is difficult. 

In the Design/CPN simulator, interfaces for calling programs implemented 
in languages other than ML are supported on a very low level only. Although 
the tool itself, especially with the extension Mimic (see offers graphical 

user interface routines, these are also very rudimentary compared to state-of- 
the-art tools. Last but not least the process of implementing a system for which 
a Design/CPN prototype has been designed is not well supported by the tool. 
Since simulation of large-scale models is not quite as efficient as a (compiled) 
program, it would at least be desirable to provide a stepwise migration of the 
system from net models to some programming language. 

Motivated by all these considerations, a framework has been designed that es- 
tablishes new possible fields of application where Design/CPN may be employed. 
The framework extends Design/CPN in several ways: Distributed simulation is 
achieved by different technical means, namely sockets and pipes. The imple- 
mented architecture and alternative concepts for the interconnection of multiple 
Design/CPN processes are described in section^ In sectionHit is shown how 
Design/CPN can communicate with Java processes during simulation. This al- 
lows invoking Java methods and even the creation of Java objects. Section | 
explains the reverse communication direction where Design/CPN processes are 
invoked by Java, viewing the whole Design/CPN process as an object. Possible 
applications of the extensions and benefits gained from these are discussed in 
section^ Section | provides an outlook on how the framework can be further 
extended and how it can be exploited for other approaches. 

2 Distributed Design/CPN Processes 

If we want to achieve a distributed simulation using Design/CPN, we have to 
run multiple instances of the program and allow synchronisation of the multiple 
nets that are being executed. 

In our distributed simulation those cases are omitted which include the dis- 
tributed solving of conflicts. This problem has been treated in e.g. Q. Instead, a 
model is split into discrete models and distributed in such a way that only local 
conflicts can occur, which can be handled within one Design/CPN process. 

2.1 Possible Communication Channels 

Running multiple instances of Design/CPN in a single simulation run requires 
communication and synchronisation. Since shared memory is not provided, we 
have to use some form of message passing. 
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Whatever I/O-channel is used, a blocking I/O call stops the current net 
simulation, because the simulator is strictly single-threaded. Hence, it is usually 
not advisable to perform blocking I/O, although this might be an option in some 
cases. Instead, we have to do polling I/O, checking for new input occasionally. 

There are essentially three possibilities to send and receive messages from 
within a Design/CPN simulation process: 

— Ordinary files. One Design/CPN process might write to a file, while another 
process might read the file. This is an inefficient method, especially if the 
processes access a file by NFS. Most network file systems cache file contents 
so that a change does not immediately propagate through the whole network. 
This makes ordinary files practically worthless for communication purposes. 

— TCP connections. A TCP connection involves a server and a client. The 
server sets up a server socket under a well-known port number, so that it 
can accept an arbitrary number of connections from clients. Each server 
socket is identified by the port number and the server’s host at the time the 
client socket is created. 

Using the ML library SysID Design/CPN supports client sockets with the 
help of low-level file descriptor I/O. 

— Pipes. In Design/CPN it is possible to generate an external process on the 
same machine by means of the execute function. The call will provide input 
and output pipes from Design/CPN to the created process. These can be 
handled by the usual ML stream I/O library, which is significantly easier to 
use than the raw file I/O. Of course, after a few routines have been written 
to handle the interprocess communication, the designer of a model does not 
get into contact with these routines very often anyway. 

This approach is suggested in the process example that is distributed with 
Design/CPN 3.02 which starts a Tcl/Tk process as an example. 

On the one hand, pipes are most useful when we want to communicate with 
other processes on the local machine that can be started during the simulation. 
On the other hand, the more versatile TCP connections have to be used if the 
processes are required to run on different machines or to be started before the 
net simulator. 



2.2 Possible Communication Architectures 

The process started by an execute function call could, of course, be another 
Design/CPN process, but a Design/CPN simulation cannot access its own stan- 
dard input and output streams. Moreover, at present there is no way to start an 
interactive simulation automatically within a Design/CPN process with which 
we could interact. These two difficulties practically rule out direct pipe commu- 
nication between the two nets. 

We cannot use direct TCP communication, because it is not possible to imple- 
ment server sockets within Design/CPN. This leaves us with three basic options: 
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Fig. 3. Fully distributed solution 



— One dedicated communication process is started (the communication server) . 
It opens a server socket that can be accessed by an arbitrary number of 
Design/CPN processes with one TCP connection each. For a visualisation 
of this architecture see Fig. J 

— Every Design/CPN process starts a messenger subprocess and accesses it 
via pipes. The messenger subprocesses are responsible for transporting the 
messages to and from the server. It will handle the protocol with the com- 
munication server as mentioned above (see Fig.^. 

— Only the subprocesses are present and implement a suitable algorithm for 
direct message exchange, typically using TCP (see Fig.fl. 

In principle, it would be possible to organise the processes like in Figs.^orJ 
using TCP connections instead of pipes. However, this would imply programming 
more difficult ML functions without any obvious benefits. 

Of course, the communication processes can be implemented in any language 
that supports the necessary networking ability, but among the many options the 
most promising seems to be Java for the reasons given in section^ 

The Server Solution. In Fig.^we can imagine the Design/CPN processes 
as actors that exchange messages via a mailbox (the server). Each actor has a 
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unique mail address, which may be generated by the system at runtime and which 
will usually exploit the unique network name of the local computer. Some actors 
may also be assigned a unique well-known address chosen at programming time. 

In its simplest form, the mailbox has only to provide commands to send 
a message to a mail address and to receive a message, if one is available. For 
performance reasons it may be useful to receive all pending messages. More 
complex implementations would allow a blocking wait for messages, but this is 
of little use for a Design/CPN process, since it would completely suspend the 
simulation. Other options include a forwarding mechanism or a test if a mail 
address is valid. 

The host and the port where the mailbox is located must be public for all 
Design/CPN processes, so that they can establish a connection. 

The mailbox can quickly become the system’s bottleneck, especially because 
polling access is required by Design/CPN. Nevertheless, this method is surpris- 
ingly practical and will perform well, provided there are only few processes. 

The Messenger Solution. In this case there is still a mailbox, but every De- 
sign/CPN process starts a special messenger process by means of the execute 
function, as in Fig.^ The messenger process can locally communicate with De- 
sign/CPN, which is usually much faster than remote interaction. Also, since the 
messenger is only responsible for a single Design/CPN process, we can use a sig- 
nificantly simpler protocol. Moreover, the messenger can communicate with the 
mailbox using efficient blocking I/O, thereby taking some load off the bottleneck. 
Of course, the price to pay is a further indirection leading to some communica- 
tion overhead. 

The Fully Distributed Solutiou. Here we no longer have a central instance; 
instead each subprocess spawned by Design/CPN interacts directly with other 
subprocesses, as shown in Fig^ This would lead to further performance benefits 
at the price of a vastly increased complexity of the message-handling algorithm. 

Even in a fully distributed architecture there might be a kind of centralised 
name service, which would allow the distributed nets to communicate without 
knowing the actual location of the other nets. 

2.3 A Couiuiuuicatiou Package 

We have tried the server solution (in C) and the messenger solution (in Java). 
Here we are going to limit ourselves to a description of the messenger solution, 
because it results in a more readable Design/CPN package. 

The actual implementation of the mailbox and the messenger processes are 
beyond the scope of this paper. Let it suffice to say that much effort went into the 
handling of concurrency and into the protocol. The actual network programming 
turned out to be very easy in Java, contrary to C where network calls constitute 
the majority of the code. 

At the moment the pure subprocess solution is not implemented, but it could 
be done in about three weeks, if this is required due to performance reasons. The 
Design/CPN library, which we are now going to describe, and the protocol on 
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the pipes would not change at all, making an upgrade possible without any 
noticeable difference for the users. 

All basic message handling is done on a single I/O page that can be reused 
in every distributed system of nets, see Fig.J It encapsulates all the transitions 
to set up and terminate the connection and send or receive messages. As in the 
following figures, we denote test arcjby arcs without arrow tips. 




IMouil 



Fig. 4. A subpage for string message I/O (lOPage) 



In the communication package described here, every Design/CPN process is 
assigned an arbitrary character string that can be used as the mailbox address. 
The I/O page is given the mailbox address on which it will listen via the “in” 
port place connect. 

The ML variable messenger has to contain the path and name of the ex- 
ecutable that starts a messenger process and should be defined in the global 
declaration node, e.g. 

val messenger = "/home/cpnuser/bin/messenger" ; 

This path name is not passed as a token, because it does not often change and 
because an incorrect path might result in errors undetectable in the ML code. 

Outgoing messages must be put into the “in” port place send in the form 
of an address/data pair. Both will be handed on to the messenger through the 
output stream, preceded by the command send. Messages are received from the 

^ In fact, Design/CPN does not support test arcs that do not move any tokens, but an 
arc without arrow tips is treated as an arc with arrow tips at both ends, thus removing 
and putting back identical tokens. However, this is not semantically different to a 
test arc as long as an interleaving semantics is assumed. 
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messenger through the input stream. It is important to test whether there is any 
pending input, because the ML function inputLine suspends until a newline 
character (\n) is read. The page provides access to the received messages using 
the “out” port place received. The data to be sent and received is always a 
character string. Other datatypes must be converted to a string format, which 
can easily be done using the predefined functions provided by Design/ CPN. 

Tokens can be put into the polling place or be removed from there in order 
to either start or stop polling for new messages. Design/CPN only allows to stop 
an “automatic” simulation run after a given number of steps or in case there are 
no more enabled transitions. Removing the polling token offers the possibility 
to stop an automatic simulation run without disconnecting. Furthermore, this 
feature should be used with nets where it is known when to expect incoming 
messages, e.g. only as answers to query messages that have been sent before. 
It is much more efficient not to poll for new messages while the net is working 
locally and not expecting any message input. If the polling port place is not 
assigned on the “parent” page, the initial marking of one token will be used 
and polling will always be activated as long as the connection is up. It should 
be recalled that Design/CPN uses the initial marking of a port place only if no 
socket place is assigned to it. 

Finally, there is a facility to close the connection and shut down the messenger 
process, because these processes might stay alive when they are not terminated 
properly. If one wants to do so, one has to change the marking of the disconnect 
place to one token and fire the disconnect transition. 

Because pipes cannot be uniquely represented as strings, they cannot be used 
as token colours, hence they have to be stored in reference variables. These are 
not allowed to be used in arc inscriptions, but in code regions only. We defined 
two global instance variables, infile and outf ile. If one wants to use the subnet 
more than once, because there is some need to run multiple messenger processes, 
one can also use instance reference variables which have different values for each 
page instance. This may be desired when many net fragments are developed and 
tested within one simulator, before they are finally split into many independent 
nets. The reason why we used global reference variables is that we normally do 
not use more than one instance of the I/O page and also that instance variables 
cannot be reached from ML code via Design/CPN’s ML evaluate feature, e.g. to 
close the streams manually. 

3 Accessing Java from Design/CPN 

It should be clear that the message passing scheme used in our architecture 
does not rely on specific Petri net techniques, so that Design/CPN could be 
complemented by programs in arbitrary languages that support TCP. Again we 
choose Java as our example language, even though experiments have also been 
done with C (for details see |). 

A straightforward implementation would provide only the basic routines to 
send and to receive string messages, leaving the programmer with the task of 
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making the necessary calls. But we can increase the developers’ productivity by 
defining a standard message format and supplying reusable parsing algorithms. 

On top of that, we can provide algorithms that actually perform the call that 
was requested by Design/CPN, so that the message passing framework becomes 
completely invisible to Java programs. Quite the same can be achieved on the 
side of Design/CPN where we make a Java method call look like an ordinary 
substitution transition (see section ^3. 



3.1 The Message Format 

The message format should contain all the necessary information to make a Java 
method call: the object whose method is invoked, the caller that awaits a return 
message, the method name for the called Java object, and a list of parameters. 
We have to distinguish these call messages from another type of messages which 
we call return messages. A return message is much simpler, as the method name 
and the caller can be omitted. What remains is just the target object (which 
should be equal to the original sender of the call message) and a list of param- 
eters, which in the case of Java may only be of length one or zero (if a method 
is of return type void). 

One suggestion for a suitable message format that has been implemented has 
the main aim to keep the net inscriptions and functions simple on the side of 
Design/CPN. As Design/CPN is based on the functional language ML, it can 
handle lists very well. Thus, a message is implemented as a list of the components 
mentioned above. 

However, Design/CPN-colours are strongly typed, so a union type of all dif- 
ferent types that may appear in a message has to be defined. We end up with a 
message colour definition as follows: 

color OBJECT = union Null 

+ RC:RCLASS 
+ RI:RINSTANCE 
+ M: METHOD 

+ Int: INTEGER + Str: STRING + Bool: BOOLEAN + Real: REAL; 
color MSG = list OBJECT; 

with RC being a colour that represents a reference to a remote class, RI repre- 
senting a reference to a remote instance, M declaring a method name and Int, 
Str, Bool and Real being the constructors for the basic datatypes available in 
ML and Java. Other types, especially arrays, could be added, if desired. 

This very general message format needs additional constraints for well- formed 
call and return messages, but offers the advantage to define both with the same 
Design/CPN colour. In order to distinguish call and return messages easily, we 
chose to put the method name in the first position of the object list instead of 
using the order of the object-oriented dot notation, where the receiving object 
is named first. A message starting with a method name is assumed to be a call 
message, otherwise a return message. The complete sequence of a call message is 
\Mimethod-name) , invoked-object, caller-object, paraml, param2, ... ] 
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while a return message is simply 
\_receiver-ohject, result^ 

where result is optional and the receiver-object is the former caller- object. 

References are defined as tuples of a class and a process identifier, the latter 
of which is used to locate remote objects. Unlike a class reference, an instance 
reference also contains an ID as a third component that makes the triple a 
globally unique identifier. 

color RCLASS = product CLASS * PID; 

color RINSTANCE = product CLASS * PID * RID; 

These tuples could have been coded into a single string, but using tuples we 
can apply the built-in Design/CPN pattern matching capabilities to select the 
information that is needed to send and receive messages. 

All colours that have not been declared are simply defined as STRING in our 
implementation. 

Alternatively, the structure of a message given at the beginning of this section 
could be directly translated into Design/CPN-colours. For a call message, this 
would result in a four-tuple of the object being invoked, the method name, the 
calling object and a list of parameters, which again is a list of objects defined as 
the message above. 

Obviously, one call and one return message have to be sent for each statement. 
When sending messages, we have to provide a unique name for the sender. We 
can for example use the constant class name cpn, construct the “mailbox” name 
as hostname:process-ID (of the simulation process), and use a sequence number 
for every sender being active concurrently. Thus, we end up with a sender like: 
RI ( ("cpn" , "cpnhost : 12345" , " 1") ) . This message has to be handled by a Java 
process which is waiting for the messages and performs appropriate actions. 

All in all, the perfect message format is partly a matter of taste, but we 
believe that the list format offers most advantages for Design/CPN. 



3.2 A Message Translation Page 

On top of the message I/O page, another page is built that translates the message 
to and from the string representation which is used externally (see Fig.^. Pages 
like this one must be created individually according to the input and output 
types that result from the conversion. The pages are expected to share a common 
structure, so they can be copied from a standard template and then be modified. 
Since most of the conversion is done by predefined ML functions already available 
within Design/CPN, the effort is usually negligible. 

In our solution, a unique name for connecting to the mailbox is generated by 
a custom ML function getUniqueName () according to the convention described 
in the previous section. The disconnect socket is transformed to a global fusion 
place, so that the network connection may be terminated from any page in the 
diagram. Access to the send and the receive place are provided via global fusion 
sets, too. Alternatively, the translation page could have defined port places, so 
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Fig. 5. A message translation page 



that it could have been used as a subpage to a net that wants to send messages. 
We chose the former solution because the translation page is expected to be used 
by several other pages or page instances and it is neither necessary nor desirable 
to get multiple instances of this page. A single, global page is of course more 
efficient in simulation runs. 



3.3 A Graphical Petri Net Notation for Method Calls 

A further possibility to avoid complex arc inscriptions and to abstract from 
the message format is to choose a notation that is more adequate for Petri 
nets. A (Java) method call always goes through the same steps: The message 
is constructed from the components mentioned in section with a unique 
identifier being constructed as the sender. Then, the message is sent and the 
caller waits for a return message, which is again decomposed into its components. 

Fig.^shows a subpage that implements this behaviour. The interface consists 
of all components of a call and the corresponding return message. The maximum 
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Fig. 6. A subpage wrapping calls to Java methods (Call) 



number of parameters has been chosen to be three in this net but may easily 
be extended. No practical problems are to be expected, since the maximum of 
parameters needed can be determined at compile-time and should not be too 
high, anyway. Moreover, note the distinction between data and control flow: A 
special place named control indicates the control state of the call, while all 
other input data is read by test arcs only. The control places’ colour, VOID, is 
defined to contain one element only, which is referred to as the black token. 

A unique ID is assigned to each instance of the page by using the page in- 
stance fusion place counter. Each page instance may only invoke one method 
at a given time (asserted by the place idle), but several instances of the Call 
subpage may act concurrently. To handle parameter input, we again take ad- 
vantage of the Design/CPN feature that the initial marking of a port place is 
only used if the port place remains unassigned. Thus, all parameter places that 
are not used by a substitution transition remain Void and are suppressed in the 
construction of the call message by the ML function until_void defined in the 
global declaration node. The output port place should only be used if the called 
method actually returns a result, because then the arc expression will produce 
no token (not even a black one) . A separate control token is produced to indicate 
that the method call is finished. It may be used to enable the next transition. 

To make the nets calling Java more readable, some Design/CPN regions have 
been suppressed in the following figures. However, a special graphical notation 
makes the syntax of the nets clear without ambiguity, as may be seen in Fig.H 
The left-hand side contains all regions and inscriptions, while the right-hand side 
shows how these are translated into graphical representations: All control places 
and control arcs are shown in bold style. They are always of colour VOID, as 
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Fig. 7. An example of the special graphical notation for using the Call subpage 



they store control information only. Data places and arcs are shown in normal 
style and all have the colour OBJECT unless they are a method place, which can 
be recognised by their position directly to the left or to the right to a Call 
(see Fig. Q substitution transition. If an arc has no arc inscription, it is either 
connected to a substitution transition (Design/CPN neglects inscription of such 
arcs, anyway) or it has the hidden arc inscription () which is one black token. 

Any transition that invokes an object method, further to referred to as a 
method invocation transition, is indicated by the presence of a dotted arc without 
arrow tips. Since all these transitions are substitution transitions refined by the 
Call subpage, the hierarchy substitution region (HS) may be omitted. In order to 
still state a precise port assignment, the following rules apply: The arc connecting 
a socket place to the object I/O port is exactly the dotted one. The input and 
output control sockets can be recognised as the bold places with input and output 
arcs, respectively. The input parameters are connected with test arcs in normal 
style. If more than one input parameter is used, the arcs have to be labelled with 
the parameter index pn (this notation is not needed in this paper) . The output 
port is assigned to the socket that is connected to the substitution transition via 
an output arc in normal style. 

3.4 An Example Net Calling Java 

In the example net in Fig.J a computation with Java’s big integers is performed, 
but this time, concurrency is exploited. To specify concurrency, we use transitions 
to fork and to join control flow. Since both “threads” send messages to Java, 
we have to take care that the return messages are correctly associated. This is 
ensured by every instance of the Call subpage using a different identifier. 

Of course, from the viewpoint of efficiency, Java method calls on a small scale 
as in this example do not really make sense, since the overhead of sending and 
interpreting messages is very high. Since efficiency was clearly not among the 
goals of our prototype implementation, we did not analyse performance issues. 

There have been other test applications which better exploit the advantages 
of our framework, but are too extensive to be presented here. In a game was 
developed that simulates a stock exchange using a Coloured Petri Net. The net 
was augmented by calls to a graphical user interface programmed in Java, re- 
sulting in a game that can be played by multiple players across a network. The 
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Fig. 8. A Petri net performing concurrent calculations with Java Bigintegers 



new net shows a dramatic increase in usability that would have been impossible 
or at least cumbersome with pure Design/CPN. Using Java only, the develop- 
ment time might have been shorter, but the CPN model offers a much better 
understanding of concurrency and distribution in the resulting running system. 



3.5 Processing Method Calls in Java 

We now briefly describe how the Java side of our framework treats the incoming 
messages. As a first step, a message is converted into an internal representation 
using a straightforward top-down-parser. 

Now some remote references might point to an object of the local Java pro- 
cess. Class references are immediately resolved to ordinary Java classesj Then 
the framework has to translate the remote instance references into local Java 
objects using a special table of externally known objects. 

^ Java allows the loading of classes at runtime requiring only a string representation 
of the class name. Even the creation of classes at runtime is possible. 
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Afterwards the framework determines the class of the invoked object and uses 
the standard ref lectioi|package to get a list of all public methods which the 
object supports. It chooses the appropriate method from the list and calls it in 
an individual thread. Now other calls can be concurrently received and parsed. 

After the completion of the method call, the result is sent back to the caller 
whose address was specified in the message. If a reference to a Java object is 
returned, the framework generates a unique external name for it and inserts this 
name in the table of externally known objects. Design/CPN will then receive 
the message and forward the result. 

If a Design/CPN process interacts with multiple Java processes, remote ref- 
erences might point to an object of a remote Java process instead of a local Java 
object. This case, too, is handled by our framework, e.g. one could, if desired, 
store a reference to an object on one process in a hash-table on another process. 

There are two possibilities for a CPN process to obtain references to Java 
objects. To start with, such an object may be created by a special program that 
also invokes the framework and inserts the object into the table of externally 
known objects under a well-known name. Then, the CPN process may access the 
new method of a class reference. In fact, the message looks like a normal method 
call, which is not the case in the Java programming language, where new is a 
keyword with a special syntax. To keep the message format clean, we decided to 
use new like a static method provided by every class instead. 

This allows the creation of arbitrary Java objects from a Design/CPN net, 
even for built-in classes like hash-tables, windows, etc. Although this device 
is extremely powerful, a note of caution has to be: The creation of new objects 
using the new method provides complete access to the Java environment, thereby 
opening up huge security holes. But Java programs can deliberately reduce their 
access rights by means of the SecurityManager interface. If this does not prove 
sufficient, it is still possible to protect the access to either the Java framework 
or to the entire message handling system by passwords or other techniques. 



4 Accessing Design/CPN from Java 

In the last section, we have shown how to call Java from Design/CPN. This 
approach is useful when the major part of the application is modelled with 
Design/CPN and Java is used to complement the application. 

In other cases, an application or at least large parts may have already been 
implemented in Java, but Petri nets are utilised for modelling use cases or work- 
flows that are contained in the application. Then, one may wish to design and 
run these parts with Design/CPN and call Petri nets from Java. The basic idea 
is that a system modeller can use the most appropriate tool for representing and 
solving the problem at hand. 

® The reflection mechanism is a powerful feature of the Java environment that al- 
lows the complete analysis of objects, classes and methods at runtime. Thus, Java 
programs can view a reflected image of themselves as if in a mirror. Additionally, 
the modification, the creation, and the invocation of objects is supported. 
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Fig. 9. A subpage for calls to a CPN (CPNCall) 



All one has to do to extend our approach to support this feature, is firstly to 
implement generic Java proxy objects that call Design/CPN nets via messages. 
Secondly, Design/CPN nets have to be extended to be able to receive and process 
call messages, not only return messages. In a sense, a Design/CPN process has 
to behave like a single (static) object, thus providing some methods that may 
be called. 

4.1 Designing a Subpage for Calls to Design/CPN Nets 

Again, we have tried to find a very general solution, i.e. a net subpage that 
can be re-used for any Design/CPN net implementing some method call. Pig.B 
shows such a subpage which is basically the counterpart to the net presented 
in Fig.O The transition at the bottom ensures that the net is able to receive 
messages all the time, in contrast to a net that just calls Java methods and polls 
for return messages if some call has been sent. The upper transition checks all 
incoming messages whether they are call messages to the method name given 
in the port place method. If so, the parameters contained in the call message 
are distributed into separate places (again, the maximum number of parameters 
is restricted to three) and a token is put into the control output port place 
to specify that the “parent” net may start now. The receiver of the message is 
ignored, because the whole net is treated like a single object. If this net had not 
been the receiver of the message, the message would not have been delivered 
there. The idle place is needed because this simple version of calling a net does 
not support concurrent calls to the same net, while it does allow concurrency 
within the net. This restriction is lifted when our object Petri net approach is 
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Fig. 10. An example of a net that can be called from Java 



used as discussed in the conclusion. After the parent net has finished its task, 
it has to put a token into the control input port place. It should remove all 
input parameter tokens as well as all tokens that were produced during the run, 
lest the next call fails or produces unexpected results^ When a socket place is 
assigned to the output place, some token has to be present that is used as a 
return parameter. The subpage then constructs a return message to the sender 
of the call message and puts it into the global fusion place SendReturnMsg, so 
that it is sent by the Message page and the lOPage. 



4.2 An Example of a Net that Can Be Called 

To illustrate the use of this subpage, we specify a net that implements a method 
executing some example workflow by W. v.d. Aalst, cited in Q. 

The example was introduced as follows. When a criminal offence happens 
and the police has a suspect, a record is made by an official. This is printed and 
sent to the secretary of the Justice Department. Extra information about the 

It is not too complicated to check this property automatically using place invariants. 
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history of the suspect and some data from the local government are supplied and 
completed by a second official. Meanwhile the information on the official record 
is verified by a secretary. When these activities are completed, a prosecutor 
determines whether the suspect is summoned or charged, or whether the case is 
suspended. 

In Fig.^J a workflow for this case is modelled using our object-oriented Petri 
net notation introduced in section ^3 extended by the feature that a method 
invocation transition may consume input parameters. In the upper part, the 
interface places of the method crimeCase are connected to the subpage CPNCall 
through a substitution transition. The arcs that point to the bottom border of 
the figure are actually connected to this transition, too. Note that tokens for the 
places off iciall, off icial2, secretary, and prosecutor have to be provided 
elsewhere. We do not give any further details on how the method invocation 
transitions might be refined. In fact, the activities may be implemented as code 
regions, as subpages, in Java or even as other nets that may be called through 
the message interface. 

In this case the call of the workflow from Java simply looks like 
RemoteCPN cpn=new RemoteCPNC'cpnliost : 12345") ; 

String decision= (String) cpn. execute ("crimeCase" , "Roger Rabbit" , 

"murder of Marvin Acme"); 

assuming that cpnhost : 12345 is the hostname / process-ID of the simulation 
process (and thus its mailbox name) simulating the workflow net, that the sus- 
pect is Roger Rabbit, and that he is accused of murder, where the decision of 
the prosecutor (as well as the input parameters) is implemented as a String. 



5 Possible Applications and Benefits 

Petri nets are already a concurrent formalism, so a net model documents the 
intended concurrency without the need to distribute it. But there remain at 
least two cases where a distributed net model is favourable even in the absence 
of interaction with Java: 

— Need for performance gains. Whether any significant performance improve- 
ments are possible depends on several factors. It must be possible to split the 
application into parts that communicate by messages. This is often naturally 
the case, but existing net models might not show the possible splitting lines 
clearly. What is more important is that the nets should require as little com- 
munication messages as possible. Alternatively, the net might be demanding 
in terms of ML evaluation time, e.g. animation or optimisation algorithms. In 
both cases, the communication cost might be dominated by the computation 
cost. 

— Real concurrency. The Design/CPN simulator is a single-threaded applica- 
tion. Thus, no real concurrency, not even multi-threading is available. Multi- 
threading would be especially desirable if complex or time-consuming ML 
functions are executed, which is normally done within one simulation step. 
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delaying all transitions. Now, code may be moved to a separate diagram 
(or any external program, see below), enabling the calling net to continue 
working while the computation is performed. The drawback of polling for 
the answer is in some cases preferable compared to blocking the whole sim- 
ulation. 

— Necessary distribution. Some applications require access to distributed re- 
sources, e.g. a visualisation module that accesses various screens or a game 
that needs input from many players. Such applications cannot naturally be 
realised without a distributed simulator. 

However, the greatest benefit of our communication framework comes from the 
interoperability with other programming environments: 

— The access to Java processes enables the developer of a net model to incor- 
porate much more complex GUIs into a net. This improves the interaction 
with the user of the net, but might also be used to animate and visualise 
the simulated process or to generate more elaborate statistics and debugging 
information. 

Although there are some GUI libraries for Design/GPN already — the most 
notable one being Mimic/GPN described in — they do not match the 

flexibility of Java or comparable languages. Moreover, there is a lack of rapid 
prototyping tools which greatly speed up the GUI development. 

— Distributed computing also allows multiple users to participate in a single 
simulation from different terminals. 

— Processes that are controlled by Design/GPN might also handle general I/O 
devices. This may simplify the control of a system by a net, a possibility 
already mentioned in the context of the security system presented in sec- 
tion 1.5 of volume 3 of H. There it was proposed to extract parts of the ML 
code generated from the net for the execution on a stand-alone micropro- 
cessor. Such a task might be considerably simplified if the connection to the 
outside world remains the same during the translation. 

— It becomes possible to reuse code that was not developed in Design/GPN or 
ML. In this area the standard container classes come to mind immediately, 
but in fact there is a wide range of programs for Java covering almost all 
aspects of algorithms and data structures as well as various I/O and network 
libraries. 

There are additional benefits when Goloured Petri Nets can also be called from 
the outside: 

— It is possible to move gradually from a Petri net prototype to an implemen- 
tation using Java. Although this will require that the nets themselves are 
structured in an object-oriented way, it remains a viable route. 

— The specification of workflows with Petri nets has attracted much interest in 
the past years. Using the framework it seems possible to use Goloured Petri 
Nets for executable prototypes of workflows and in the future maybe even 
for final products. 
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6 Outlook 

The framework presented here improves the usability of Design/CPN in some of 
the most important areas: distribution, interoperability, appropriate modelling, 
and graphical user interfaces. A smooth transition from a specification within 
Design/CPN via distributed Design/CPN modules to distributed Java modules 
seems possible. Some applications have already been implemented thereby doc- 
umenting the gained flexibility. 

In the meantime, we developed a high-level Petri net editor and simulator. 
Renew Q, that offers an even closer connection to Java and object-orientation 
in general. Java is used as an inscription language, so that Java objects can be 
accessed directly, but distribution is not supported directly. Renew supports dy- 
namic net instances and net references, which eases introducing object-oriented 
concepts into Petri nets. In the near future we are going to use the framework 
presented here to connect Design/CPN and Renew. In order to achieve object- 
oriented behaviour of nets, we are going to extend the framework to object- 
oriented Petri nets in the sense of ^9 and In those approaches the struc- 
ture of the nets represents most object-oriented features without extensions of 
Coloured Petri Nets themselves. Tool support of the object-oriented techniques 
could then further simplify the development process. 

Additionally, Artificial Intelligence concepts as already used in are going 
to be extended by providing a connection to Prolog. This will allow us to access 
available tools for logic programming directly from Petri net models. 

If Design/CPN itself was extended by multi-threaded simulation of net mod- 
els, this would capture some concurrency aspects of our framework. The dis- 
tribution and interaction with Java would still be an essential benefit of our 
framework, which would even be improved, because blocking input could be 
used instead of polling. 

Our communication framework already bears some resemblance to other 
distributed object-oriented architectures. Although many functions and just as 
many concepts are still missing, it does no longer seem far fetched that Petri 
nets might one day be usable with systems like CORE A Q. 
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Abstract. Recent research in hybrid dynamic systems has brought to- 
gether formalisms and techniques from computer science and control 
theory to address problems involving a mixture of discrete and continu- 
ous state variables. Computer scientists have extended standard models 
of finite-state systems to include continuous dynamics that determine 
when discrete state transitions can occur. Control theorists have intro- 
duced switching logic and discrete states to select continuous dynamic 
modes in models of controllers and physical systems. The interaction of 
discrete and continuous phenomena-and the interaction of computer sci- 
entists and control theorists-have led to new research problems and new 
research results. 

Three models illustrate different perspectives in the hybrid systems liter- 
ature: block diagrams with discrete and continuous dynamic blocks; hy- 
brid automata with continuous dynamics associated with each discrete 
state; and continuous Petri nets with continuous dynamics associated 
with each place. As illustrated by selected examples from the literature, 
each formalism offers intuitive features for modeling particular classes of 
hybrid dynamic systems. 

Computational tools have been developed to model, simulate, and ana- 
lyze various classes of hybrid systems. To analyze hybrid systems, con- 
trol theorists have introduced extensions to Lyapunov theory for stabil- 
ity analysis, and computer scientists have extended formal verification 
techniques to certain classes of hybrid systems. In the latter research, de- 
cidability results clearly distinguish tractable from intractable problems. 
This talk reviews the models, analytical results, and computational tools 
that have been developed recently for hybrid dynamic systems. The state 
of the research and prospects for future advances in the theory and ap- 
plications will be assessed. 
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Abstract. Discrete event dynamic systems may have extremely large 
state spaces. For their analysis, it is usual to relax the description by re- 
moving the integrality constraints. Applying this idea, continuous P/T 
systems are defined by allowing fractional firings of transitions, and thus 
the existence of non-discrete markings | ' | . In this paper we compare 

the behaviors of discrete and continuous systems, and observe that they 
are not necessarily similar. The problems that appear lead to the defini- 
tion of two extensions of reachability. Many properties shall be extended 
differently depending on which reachability definition is being consid- 
ered. Here, we concentrate on liveness and deadlock- freeness, proposing 
extensions and relating them to their discrete counterparts. 



1 Introduction 

One of the most important tools for the analysis of P/T systems is the state equa- 
tion, which is based on the relaxation of the reachability condition using a path 
integration approach. This description is sometimes further relaxed by dropping 
integrality constraints, following the approach that is typical in the mathemati- 
cal modeling of systems with large state spaces (e.g., population models). This 
fluidization allows to use linear programming instead of integer programming 
in the verification of certain properties. 

These principles can also be applied in the reverse order, first continuization 
and then path integration. By disregarding first the integrality of variables, we 
get continuous P/T systems | ‘ ' ' | . In these models, “fluid tokens” are contained 
in “deposits” (the places), the “level” of which (the marking) captures the state 
of the system. Transitions are regarded as “mixing valves” whose firing (opening) 
consumes fluid from the input places and produces fluid onto the output places 
in a given proportion, defined by the arc weights. These nets are interesting in 
the modeling of certain continuous systems, and also as an approximation of 
systems with large amounts of (discrete) tokens. 

Autonomous continuous P/T systems were introduced in Q. Although some 
work has been done in the analysis of timed continuous P/T systems | ' ~ ' | , 
almost nothing has been done w.r.t. the analysis of autonomous continuous P/T 
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systems. It might be thought that they cannot be that different from discrete 
P/T systems. However we will see that the behavior of a system considered 
as discrete may be completely different from its behavior if it is considered as 
continuous. Moreover, although the extension of the “token game” to continuous 
P/T systems is quite immediate, it is not so clear how such a basic concept as 
reachability should be extended. For instance, should be considered reachable a 
marking that cannot be obtained firing a finite sequence, but is obtained after 
an infinitely long one? 

The basic definitions of autonomous continuous P/T nets and systems are 
introduced in Section^ Some immediate properties are also proven, as the con- 
vex nature of the reachability space, or the equivalence, in case every transition 
is fireable, of behavioral and synchronic relations (in particular boundedness 
and str. boundedness). In Section H some examples are presented which show 
that the properties of a system may be very different depending on whether 
it is considered as discrete or continuous. A new definition of reachability, limit 
reachability, in which infinitely long firing sequences are allowed, is introduced in 
Section^ If every transition is fireable, the limit reachability space of consistent 
systems is characterized as the set of solutions of the state equation. Section J 
is devoted to the analysis of liveness. Two definitions of liveness are introduced 
that correspond to the two views of reachability (Subsection . In Subsec- 
tion it is observed that both kinds of liveness are preserved if the marking 
is scaled. The relationship that exists among all the definitions of liveness (the 
two continuous definitions and the discrete one) is analyzed in Subsection ^3 
In Subsection ^3 necessary conditions are obtained for the liveness defini- 
tion that seems more convenient. Finally, we restrict to subclasses, in particular, 
equal conflict and free choice Q systems, for which stronger results can be 

proved (Subsection ^3- 

2 Definition and First Resnlts 

A continuous P/T system is a pair {JV, mo), where Af = {P, T, Pre, Post) is a 
P/T net (P and T are disjoint (finite) sets of places and transitions, and Pre 
and Post are |P| x |T| sized, natural valued, incidence matrices), and mo is a 
continuous marking. 

The net in a continuous P/T system is the usual P/T net. In particular, the 
restriction on the arc weights being integer is maintained. This is particularly 
reasonable when the continuous P/T system is used as an approximation of a 
discrete system. In the case of continuous (or hybrid) P/T systems used to model 
continuous systems, the integrality of the arc weights is not a big restriction 
because rational arc weights could be multiplied by the least common multiple 
of their denominators. 

All the concepts based on the representation of the P/T net as a graph (strong 
connectedness, presets, postsets, . . . ) can be directly applied to continuous P/T 
nets. In particular, the definitions based on the annullers of the token-flow matrix 
(C = Post — Pre) can be immediately extended. Right and left natural annullers 
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are called T- and P-semiflows, respectively. When y-C = 0, y > 0 the net is said 
to be conservative, and when C • x = 0, x > 0 the net is said to be consistent. 
The definitions of subclasses that depend only on the structure of the net are 
also generalized. For instance, in choice free nets (CF) each place has at most one 
output transition, free choice nets (FC) are ordinary nets in which all conflicts 
are equal (*t n yf 0 ^ Pre[P, t] = Pre[P, t']), and equal conflict nets (EQ) 
are the weighted counterpart of FC nets. 

A continuous marking is a |P| sized, non-negative, real valued, vector. A 
continuous P/T system is a pair S = (Af, mo), where mo is the initial contin- 
uous marking. A transition t is enabled at m iff for every p C m[p] > 0. In 
other words, the enabling condition of continuous systems is the same as the 
enabling condition of discrete ordinary systems: every input place is marked. 
As in discrete systems, the enabling degree of a transition measures the max- 
imal amount in which the transition can be fired in one go, i.e. enab(t, m) = 
minpg«i{m[p]/Pre[p, t]}. The firing of t in a certain amount a < enab(t, m) 
leads to a new marking m' = m -I- a ■ C[P,t], This is denoted as m-ff^>m'. No- 
tice that a transition being enabled or not does not depend on the arc weights, 
although they are important to compute the enabling degree and to obtain the 
new marking. A certain marking m' is reachable from m if a (finite) fireable 
sequence exists leading from m to m'. 

Definition 1. Let {Af, mo) be a continuous system. A certain marking m G 
(R+U{0})'^' is reachable iff a finite sequence a = cx.itia 2 t 2 ■ ■ ■ cuktk, exists such 
that 



mo >nii >ni2 • 



Ock tk 



^rcik = m 



where ti G T and ai G M’*'. 

The reachability space, RSc(A/”, mo), is the set of all the reachable markings. 
Given a such that raLffm.' , and denoting by cr the firing count vector of a, 
then m' = m -I- C • cr. This is known as the state equation of S. 

The set of all the markings m G (R+ U {0})'^' that fulfil the state equation, 

I T I 

with rr G (M’*' U {0}) , is called the linearized reachability space (w.r.t. the 

state equation), LRSc(A/”, mo). 

If modf>m, then m = mo 4- C • cr. Thus, as in discrete P/T systems, RSq C 
LRSc. 

The possibility of firing the transitions in any amount (up to the enabling 
degree) leads to the fulfilment of several properties on the set of fireable sequences 
related to homothecy and monotony: 

Proposition 2. Let {Af, mo) be a continuous P/T system, and a a sequence 
fireable at mo. 

— For any a > 0, aa is fireable at crmo, where cxa represents a sequence that 
is equal to a except in the amount of each firing, that is multiplied by a. 

— If 0 < a < 1, aa is fireable at mo. 
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— For any mo' > mo, a is fireable at mo'. 

This endows the reachability space with a particular structure that it does 
not have in discrete systems: it is a convex set. That is, for any two markings 
that can be reached from mo, any intermediate marking that can be expressed 
as their linear combination is reachable too. 

Theorem 3. The reachability space of a continuous P/T system is a convex set. 

Proof. Let {Af, mo) be a continuous system and mi, m 2 two reachable markings, 
i.e., mo-— Lmi and moTl^rn 2 . Let a G [0,1]. Then, arn.Q-—t^am.i and (1 — 
Qf)mo-5— — a)m 2 . Therefore, ami -|- (1 — a)m 2 is reachable from mo 
firing aai -I- (1 — a)(J 2 . □ 

The same idea of firing just a part of what is enabled is the basis of the 
following algorithm, that checks whether every transition is fireable at least 
once. 

The algorithm fires the enabled transitions, which can lead to the enabling of 
other transitions, but taking care not to disable any of the former. Thus, the set 
of enabled transitions, T^, never decreases. If it does not increase, a point has 
been reached in which the firing of the enabled transitions cannot lead to the 
enabling of any other one, therefore not every transition can be fired. Otherwise, 
since the number of transitions is finite, the algorithm stops when all have been 
considered. 



Algorithm 1 

Input: A continuous P/T system, (Af, mo) 

Output: The set of dead transitions, T' 

Begin 

Let T° = 0; 

Let = {t\ enab(t, mo) > 0} 
j := 1 

While 7 ^ T and do 

Let (jj be a sequence obtained firing all the transitions in \T^~^ 
with half their enabling degree, and let mj-i—Pmj 
= {t I enab(t, m^ ) > 0} 

j := i + 1 

od 

T' :=T\ 

End 



In other words, in continuous systems it is equivalent that every transition is 
fireable or that a strictly positive marking can be reached. From this, realizability 
of T-semiflows can be deduced, and all the three are equivalent if the net is 
consistent. 
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Proposition 4. Let {Af, mo) be a continuous system. 

1. It is equivalent that every transition is fireable or that a strictly positive 
marking can be reached. 

2. If every transition is fireable, for every x > 0 such that C • x > 0 a marking 
m £ RSc(A/”, mo) exists such that m~!^ and cr — ox with a > 0. Moreover, 
both properties are equivalent if the net is consistent. 

Fireability of T-semiflows, implies that behavioral and structural synchronic 
relations Q coincide in continuous systems in which every transition is fireable 
at least once. In particular, defining boundedness and str. boundedness as in 
discrete systems (a system is bounded iff k exists such that for every reachable 
marking m < k, and it is str. bounded iff it is bounded with every initial marking) 
it is immediate to see that that both concepts coincide in continuous systems in 
which every transition is fireable. And, as in discrete systems, str. boundedness 
is equivalent to the existence of y > 0 such that y • C < 0 (Farkas Lemma |). 

Theorem 5. Let {Af, mo) be a continuous system in which every transition is 
fireable at least once. It is equivalent: 

— {Af, mo) is bounded. 

— Af is bounded with any initial marking (str. bounded). 

— y > 0 exists such that y • C < 0. 

3 Discrepancies between Continuous and Discrete 
Behaviors 

The simple way in which the basic definitions of discrete systems are extended 
to continuous systems may make us naively think that their behavior cannot 
be very different, provided the marking is “large enough” . We will see in this 
section that this is not completely true. 

For example, look at the system in Figure^ Each time ti and t 2 are fired 
in their maximal enabling degree, the marking of pi is cut by half. Thus, we 
can always find a marking such that for every successor the marking of pi is as 
small as required. But it never reaches zero (remember the Zenon’s paradox). 
Therefore, in the continuous system we can always go on firing transitions ti 
and t 2 , while that is clearly not true in the discrete system, no matter how big 
the initial marking is. 




Fig. 1. A non str. live discrete system that never blocks if it is seen as continuous. 
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Nevertheless, the enabling degree of these continuous transitions decreases 
with each firing, and it could be thought that the continuous behavior is not 
that different from the discrete one: in the end a marking will be reached such 
that for every successor the enabling degree of both transitions is “almost zero” . 
But this is a very simple system, and things may get much more entangled. 
Observe the system in Figurefl(a). If we analyze this net as a discrete P/T net. 







Fig. 2. Four bounded and strongly connected systems are which behave in a 
very different way if they are considered as discrete or as continuous: 

(a) is non str. live, e-live, non str. lim-live; 

(b) is non str. live, non e-live, non str. lim-live; 

(c) is live, non str. e-live, non str. lim-live; 

(d) is live, e-live, non str. lim-live. 



it is not str. live. For any initial marking, t\ or t 2 can be fired sufficiently many 
times to reach a marking in which pi or p 2 are marked with just one token, 
which is clearly a deadlock. On the other hand, the continuous system displays a 
completely different behavior. For instance, with the given initial marking, firing 
the sequence ti ifi ifi ... we can obtain a marking such that the enabling 
of ti and t 2 is as small as desired (observe that the marking of p\ decreases 
exponentially) . However, and unlike the previous example, the marking of pi is 
not unavoidably led to zero, since it can be increased again firing O- 

The reason for the completely different behavior of the discrete and the con- 
tinuous system in this case is that the continuous system considers the tokens 
as composed of infinitely many parts, and hence, we do not find the restriction 
that in the discrete system leads to not being able to redistribute the tokens. In 
other words, the “problem” is that the gap between natural numbers is discrete, 
and thus any decreasing sequence of natural numbers eventually reaches a lower 
bound, in which it may get blocked. This is not true in general for sequences of 
rational/real numbers. 

This example shows also that systems that might be considered “equivalent” 
as discrete systems (their reachability graphs are isomorphic) may not be so if 
they are seen as continuous systems. From a discrete systems perspective, there 
is no difference between systems (a) and (b) in Figure^ (In particular, the token- 



Autonomous Continuous P/T Systems 113 



flow matrix of both systems is the same, although the Pre and Post matrices 
are different.) However, their behaviors as continuous systems are completely 
different. The system on the right follows the behavior of the discrete system: for 
any initial marking firing t\ or ^2 in a large enough amount we reach a deadlock. 
On the contrary, we have seen that the system on the left never deadlocks with 
the firing of a finite sequence. 

It may also happen that a system deadlocks if it is seen as continuous and 
does not deadlock as discrete. Look for instance at the system in FigureH(c). 
As a discrete system, it is live with the given marking. However for any initial 
marking, mo, the firing of ti in an amount of mo[pi]/2 in the continuous system 
leads to [0, mo[pi]/2 + mo[p2] and the system gets blocked. 

On the other hand, the system in FigureJ(d), which as discrete has a reach- 
ability graph isomorphic to the one of the system in FigureH(c), as continuous 
never reaches a marking with no transition enabled. Observe that although these 
two systems have the same behavior as discrete, there is a big difference in the 
underlying nets: the system in FigureH(c) is non live with any initial marking 
with an even number of tokens in pi; while any marking greater than or equal to 
[ 1 , 1 ] makes live the system in Figure H(d). It is clear that a system cannot be 
live as continuous if its liveness as discrete relies strongly on the particular mark- 
ing. That is, a system that is live as discrete with a certain marking, but not live 
with a multiple of it, cannot be live as continuous. Scaling liveness monotonicity, 
which may be desirable, but is not compulsory in discrete systems, appears a 
basic property if we want to study them as continuous systems. 

With the different systems in Figure^ we have seen that, even in the case of 
EQ nets, the behaviors of a system, if it is considered as discrete or continuous, do 
not necessarily coincide. We wonder whether in simpler classes, such as live and 
bounded FC or CF systems, discrete and continuous behaviors are analogous. 
Let us consider a basic property of discrete bounded systems: no infinite firing 
sequence exists in which the markings are all different. Two example systems, one 
FC and the other CF, both live, bounded and reversible (the initial marking can 
always be returned to), are shown in Figure^ In both, even this simple property 
is violated. For the FC system on the left, all the intermediate markings when the 
sequence tsUt-j 5^15^25^45^55^7 1^11^21^41^51^7 ■ ■ ■ ... is 

fired, are different. The same happens to the CF system on the right if we Are the 
sequence ti 5^35^1 1^31^1 ■ ■ ■ • This is completely different from what happens in 
discrete systems. 

4 A New Concept: Limit Reachability 

Let us go back to the system in FigureH(a). We have seen that a state can be 
reached in which the marking of pi is as small as desired. For some applications, 
it might be reasonable to consider that we can reach a marking such that this 
place does not contain any token. In other words, to include the marking that 
would be obtained in the limit as a reachable marking. 
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Fig. 3. Two reversible, live and bounded discrete P/T systems. When consid- 
ered as continuous systems, infinitely long firing sequences exist in which the 
transitions are fired in their maximal enabling degree, and such that every in- 
termediate marking appears only once. 



Definition 6. Let {Af, mo) be a continuous system. We say that a marking m G 
(R“'" U {0})'^' is limit reachable iff a sequence of reachable markings 
exists verifying 



mo-— bmiTl>ni2 ■ 



mi_i- 






and limi_,oo m^ = m. 

The firing sequence may be null after a finite number of firings, therefore the 
reachable markings are in particular limit reachable. 

The limit reachability space, lim-RSc(A'', mo), is the set of limit reachable 
(and in particular reachable) markings. 

The definition of boundedness does not change with the new concept of limit 
reachability (if every m^ < k, then limi^co m^ < k) . 

There is a strong relationship between the LRSc and the lim-RSc of a contin- 
uous system. In fact, they coincide in consistent systems in which every transition 
is fireable. 

Theorem 7. Let {Af, mo) be consistent and such that each transition can be 
fired at least once. 

Then lim-RSc(A/', mo) = LRSc(A/', mo). 

Proof. It is clear that lim-RSc (Af, mo) C LRSc(A/’, mo), since LRSc(A/’, mo) is 
a closed set that includes RSc(Af, mo). 

For the “3”, let m S LRSc(Af, mo), m = mo-t-C-cr. Applying Proposition^ 
we have that from mo a positive marking m' = mo -1- C • <r' can be reached. We 
will prove that m S lim-RSc (Af, m'). Observe that m = mo -I- C • cr = m' -1- C • 
(cr — cr'). Being Af consistent, a T-semiflow, x, exists such that x -f cr — <r' > 0, 
and thus m = m' -1- C • (cr — cr' -1- x). Since m' > 0, a and cr" exist such that 
a" is fireable from m' and cr" — a(cr — cr' + x), i.e., a sequence proportional 
to the vector leading from m' to m can be fired. If a > 1, it is clear that m 
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can be reached from m'. Otherwise, the firing of a” leads to m' + C • cr" = 
m' + aC • (<T — <t' + x) = am + (1 — a)m', i.e., 

modL>m' am + (1 — a)m' 

Clearly, if a" was fireable from m', (1 — a) a" is fireable from (1 — a)m' . Hence 

am + (1 — a)m' ^ q,j^ _|_ _ q,)jxi -|_ (i _ a )^ m ' 

Repeating the procedure we build a sequence of markings whose limit is m. □ 

This does not mean that for any vector x such that mo + C • x > 0 a sequence 
with this firing vector is enabled at mo- For instance, in the example of Figure^ 
[0, 1, 0, 0, 1] = [1, 0, 0, 0, 1] + C • [0, 1, 1, 0, 0]^ is reachable, but no sequence with 
firing vector [0, 1, 1, 0, 0] is enabled. 




Fig. 4. In this system [0, 1, 0, 0, 1] is a reachable marking, although no enabled 
sequence has [0, 1, 1, 0, 0] as its firing vector. 



The equality of the LRSc and the lim-RSc does not hold in general if the 
system is not consistent or not every transition is fireable. For instance, in the 
system on the left in Figure^ which is consistent, but in which no transition can 
be fired, the marking [0, 1,0,0] belongs to the LRSc but not to the lim-RSc. 
The same happens to the marking [0, 1, 0, 0, 1] in the system on the right. In this 
system every transition can be fired, but it is not consistent. For the moment 
nothing can be said about the complexity of computing the lim-RSc in the 
general case, not even whether it is decidable or not. However, the setting in 
which the equality holds seems general enough to cover many interesting cases. 

5 On Liveness Analysis 

Two of the main properties we have been discussing about all along this work 
are liveness and deadlock- freeness. In this section we will present two possible 
extensions of the definitions of liveness to continuous P/T systems, one w.r.t. 
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Fig. 5. Two continuous systems for which either not every transition is fireable 
(left) or the net is not consistent (right). 



the RSc (e-liveness) and the other w.r.t. the lim-RSc (lim-liveness), and the 
corresponding two definitions of deadlock- freeness. We will compare these two 
liveness definitions and also relate them to discrete liveness. This will allow 
to deduce that necessary conditions for discrete liveness are necessary for lim- 
liveness too. Then, we will concentrate on the classes of EQ and FC nets. We 
will see that for strongly connected and str. bounded EQ systems str. lim-liveness 
and (discrete) str. liveness coincide, and they are also equivalent to str. e-liveness 
for FC nets. 

5.1 Liveness Definitions 

Let us start defining liveness w.r.t. the RSc- A naive generalization of the dis- 
crete definition, following the approach used to define boundedness, leads to the 
following statement: a transition t of a continuous P/T system is live iff from 
every reachable marking, m, another marking can be reached, m', at which the 
transition is enabled, i.e., enab(t, m') > 0. 

According to this definition, transition ti in Figure |is live, since for every 
reachable marking a successor exists such that the marking of pi is greater than 
zero. From our discrete-biased point of view, this does not seem to be what one 
would desire of a live transition. Therefore, let us try to modify the definition to 
avoid this kind of behavior. 

The problem in this example is that with a finite number of firings the mark- 
ing of Pi and p 2 can be done indefinitely small, but not zero. With the idea of 
not allowing this to be considered live, we introduce an improved version of the 
definition of liveness: 

Definition 8. Let {Af, mo) be a eontinuous P/T system. A transition t is e- 
live iff e > 0 exists such that for any reachable marking, m, a successor m' G 
RSc(A/”, m) can be found such that enab(t, m') > e. 

So, if the enabling of a transition can be made as small as desired and never 
grows back, this transition is not e-live. As in discrete systems, we will say that 
a continuous system is str. e-live if a marking mo exists such that in {JV, mo) 
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every transition is e-live. For instance, the system in FigureH(a) is e-live with 
the given marking. 

In an analogous way we can define deadlock-freeness. 

Definition 9. Let (A/”, mo) be a continuous P/T system. It e-deadlocks ijf for 
every e > 0 a reachable marking, m^, exists such that for every successor m) G 
RSc(A/”, m^), and every transition t, enab(t, m)) < e. 

Clearly, the system in Figure J e-deadlocks. 

Another possibility is to define liveness w.r.t. the lim-RSc- With this defini- 
tion of reachability, the extension of liveness is immediate: 

Definition 10. Let {Af, mo) be a continuous P/T system. A transition t is lim- 
live iff for any marking m G lim-RSc (Af, mo) « successor m' G RSc(A/’, m) 
exists such that enab(t, m') > 0. 

In other words, a transition is non lim-live iff a sequence of successively 
reachable markings exists which converges to a marking such that none of its 
successors enables the transition. Observe that none of the systems in Figure^is 
lim-live. For example, in the system in^(a), firing once either ti or t 2 a deadlock 
is reached. For the system in5(b), take for instance the following sequence of 
markings: 



mo— hmi- 



— >m3- 



That is, mfc = — 1/2^^“^^]. Clearly, a limit of this sequence exists, 

m = [0,4], and no transition is enabled there. Hence, the system is not lim- 
live. Even more, it can be proven that no marking makes this system lim-live. 
Therefore, we can say that the continuous P/T net is not str. lim-live. 

The following properties of bounded lim-live systems can be immediately 
deduced. 



Theorem 11. Let {Af, mo) be a consistent, bounded and lim-live continuous 
system. Then, 

1. LRSc/A/',mo/=lim-RSc/Af,mo/, i.e. there is no spurious solution of the 
state equation. 

2. Af is str. bounded. 

3. (Af, mo) is reversible w.r.t. the lim-RSc- 

Proof. For (1), since the system is lim-live, a fireable sequence exists that con- 
tains all the transitions. Then, applying Theorem^ the result is proved. 

(2) is immediate from Theorem^ 

To prove (3), let m G lim-RSc (Af, mo). Observe that, since the net is con- 
sistent, mo G LRSc(Af, m). Then, applying (1) to (Af, m), we obtain that 
mo G lim-RSc (Af, m). C 

Analogously, we can define lim-deadlock: 

Definition 12. A continuous P/T system {Af, mo) lim-deadlocks iff a marking 
m G lim-RSc(Af, mo) exists such that enab(t, m) = 0 for every transition t. 

For instance, all the systems in FigureHlim-deadlock. 
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5.2 Liveness Monotonicity 

In discrete systems it may happen that a system is live with a certain marking, 
and non-live with any other marking, in particular with a multiple marking. In 
continuous systems an e-live (lim-live) system is also e-live (lim-live) with any 
multiple/fraction of the initial marking. That is, e-liveness and lim-liveness are 
monotonic w.r.t. scaling of the marking. 

Proposition 13. Let (Af, mo) be a eontinuous P/T system. If it is e-live (lim- 
live), then for every a > 0 (Af, amo) is e-live (lim-live). 

Proof. Assume (Af, mo) is e-live and a > 0 exists such that (Af, amo) is not 
e-live. Since {Af, mo) is e-live, a constant e > 0 exists such that for every 
m G RSc(A/”, mo), and every transition t, a successor of m exists for which 
the enabling of t is greater than e. (Af, amo) is not e-live, therefore a transition 
t' and a sequence a' exist such that , and for every successor of m' 

the enabling of t' is less than ae. Observe that Act' can be fired at mo, i.e., 

mo > Am'. A successor of Am' exists such that the enabling of t' is greater 
than e. Hence, a successor of m' exists for which the enabling of t' is greater 
than ae, contradiction. 

An analogous proof can be used in the case of lim-liveness. □ 

A question that naturally arises is whether discrete liveness monotonicity is 
a stronger result than e- or lim-liveness. This is false in the case of lim-liveness. 
For instance, the system in FigureH(d) is live as a discrete system with the given 
marking or a larger one. But it is not str. lim-live, since for any initial marking 
firing t 2 t 2 ^2 . . . , in the limit a marking is reached in which no 

transition is enabled. However, it is true w.r.t. e-liveness, that is, discrete liveness 
monotonicity implies e-liveness. 

Theorem 14. Let {Af, mo) be a eonsistent system whieh is live as diserete with 
any marking multiple of the initial one. Then, it is e-live. 

Proof. Consider {Af, mo) as a continuous system. The proof will be done in two 
steps. First, assume a reachable marking m and a transition t exist such that no 
successor of m enables t. Taking a constant k big enough, a discrete sequence 
can be fired from fcmo leading to a marking which is as close as desired to fcm 
(it may be exact if in the sequence leading to m all the transitions are fired in a 
rational amount). Since the discrete system is live, a successor of this marking 
enables t. Hence, a successor of m exists that enables t, contradiction. 

Therefore, for every transition and every marking a successor exists in which 
this transition is enabled. It might happen that the system were not e-live be- 
cause the enabling approached zero, i.e., for every e > 0, f and m exist such that 
for every successor the enabling of t is less than e. Since the system is consistent, 
reasoning as in Theorem H we can reach a marking that is as close as desired to 
any solution of the LRSc, in particular a making close to mo. {N, mo) is live as 
discrete, hence t can be fired again in a “big amount” . □ 
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5.3 Relations between Discrete Liveness, e-Liveness, and 
lim-Liveness 

In Section Jwe compared the properties of a system as discrete with its prop- 
erties as continuous, this last one interpreted using the immediate continuous 
extension of reachability. The examples that appear there show in particular 
that a system can be str. live as discrete and not str.e-live (FigureH(c)); and 
the reverse, it can be str. e-live and not str. live (FigureJ(a)). 

The concept of limit reachability was then introduced, trying to bring the 
continuous properties nearer to what one would expect. As we have seen, lim- 
liveness cannot be deduced from (discrete) str. liveness (FigureH(c)). However, 
any lim-live system is str. live if it is seen as discrete. (Although not necessarily 
live, i.e., the structure of the net is “correct”, although the marking may be “not 
large enough”.) 

Theorem 15. Let {Af, mo) be a bounded lim-live P/T system. Then, Af is 
str. live and str. bounded as a discrete net. 

Proof. Assume Af is not str. live as a discrete net. We will see that we can find a 
sequence of successively reachable markings in the continuous system, such that 
at the limit at least one transition is disabled, which contradicts lim-liveness. 

{Af, mo) is not live as a discrete system, therefore a sequence (Ti and a tran- 
sition tj, exist such that and for every successor of mi is disabled. 

Take now {Af, 2mi). It is not live as a discrete system, therefore a sequence 
(72 and a transition tj^ exist such that and for every successor of m 2 

tj 2 is disabled. 

Analogously, {Af, 2m2) is not live as a discrete system . . . 

Repeating this procedure, a sequence of markings of the continuous system 
is obtained: 



1 _ 1 1 /T 1 

mo^miA — >-^na. 2 — — 



2fc-i 



mfc- 



For simplicity, let us denote m), = and cr), = Then, 



f f 

mo — 



^ra.1 



The number of transitions is finite, therefore an infinite subsequence exists such 
that the disabled transition is always the same. We will denote this transition 
as t. 

Since the system is bounded, a convergent subsequence of the former subse- 
quence exists (by Bolzano- Weierstrass Theorem, any bounded sequence contains 
a convergent subsequence). We will denote this latter subsequence as {m'^}fc>i. 

That is. 



mo 
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where limfc^oo = m'. 

{Af, mo) is lim-live, therefore, a > 0, and a firing sequence a exist such that 

Let e = i minpgp{m'[p] | xa'[p] > 0}. Since m' = linifc^oom'^, a certain fco 
exists such that for every k > ko and every place p, — m'[p]| < e. Thus, 

for every k > ko, > ^m' and 




Let Ki = 2®'=“^. Then, and taking k big 

enough, an integer sequence that enables t can be fired from contradiction. 

□ 



With respect to the relationship between lim-liveness and e-liveness, a similar 
result can be proven, i.e., a bounded continuous lim-live system is e-live. The 
reverse is not true, as the system in FigureH(c^) shows. 

Theorem 16. Let {Af, mo) be a bounded lim-live P/T system. Then, {Af, mo) 
is e-live. 



Proof. Assume {Af, mo) is not e-live. Then, for every fc > 0 a transition and 
a marking mj, G RSc(A/', mo) exist such that for every m^ G RSc(A/', m^), 
enab(tj,. , rhfc) < 1/k. Since the number of transitions is finite we can assume 
w.l.o.g. that all the tj^, coincide. We will denote this transition as t. 

Observe that mi is reachable from mo, but nothing ensures that m2 can 
be reached from mi. By Theorem^J this system is str. live and str. bounded, 
hence consistent. Thus, m2 G LRSc(A/’, mi). Moreover, being lim-live, every 
transition is fireable, and applying Theorem^ m2 G lim-RSc(A/’, mi). There- 
fore m^ G RSc(A/’, mi) exists such that |m2 — m2| < 1/2. Analogously, m3 G 
lim-RSc(A/’, m^), and repeating the reasoning m3 G RSc(A/", m^) exists such 
that I mg — m3 1 < 1/3. In general. 



mo-^mi- 



±3 



and |mfc — m/| < 1/k. This defines a bounded sequence of markings, therefore, 
applying the Bolzano- Weierstrass Theorem, a convergent subsequence {m'^}fc>o 
exists. Let m' = limfc^oo m'^ . 

(Af, mo) is lim-live and m' G lim-RSc(A/’, mo), hence a (finite) sequence a 
and a > 0 exist such that 



Define e = imin{m'[p] | m'[p] > 0}. Then, applying the limit definition and the 
way the sequence has been built, a certain ko exists such that for every k > ko, 
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|m- — m'l < -e, and |m- — | < -e. Thus, |nii^ — m'| < e and by definition 

2 2 
of e, nii^ > 1/2 m'. Therefore, 




If k is big enough, — > — . Contradiction, since for every successor of the 
2 ik 

enabling of t is less than 1/ik- □ 

We have seen that a system may be str. discrete live (FigureH(a)) or str. e- 
live (FigureH(c)) and not str. lim-live. We might think that if both conditions 
were required, i.e., the system is str. e-live as a continuous system and str. live 
as a discrete one, perhaps str. lim-liveness could be deduced. Actually, this is 
not the case, as can be observed in the system in FigureH(d). The problem in 
this example is that there are solutions of the state equation, that cannot be 
reached in the discrete system but are reachable at the limit, which correspond 
to deadlocks. For example, with the given initial marking, firing the sequence 
ifi ifi . . . , we reach in the limit the marking [0, 2], that clearly is a deadlock. 

The results in Theorem and Theorem and the counterexamples in 
Figure^are summarized in the diagram at Figure^ In Subsection ^3 we will 
see that these results can be improved if we restrict to selected subclasses. 



lim-live 






e-live 



str. (discrete) live 



Fig. 6. Relationships among lim-liveness, e-liveness and discrete liveness for gen- 
eral P/T nets. 



5.4 Two Necessary Conditions for lim-Liveness 

From Theorem it is clear that any necessary condition for a discrete system 
to be str. live and str. bounded, is also necessary for it to be str. lim-live and 
bounded. In particular the rank theorem (see | for a recent survey) is a neces- 
sary condition based on the existence of left and right annullers of the token- flow 
matrix, and the existence of an upper bound on the rank of this matrix, which is 
the number of equal conflict sets. Two transitions, t and t' , are said to be in equal 
conflict (EQ) relation when Pre[P, t] = Pre[P, f] yf 0. This is an equivalence 
relation and the set of all the equal conflict sets is denoted by SEQS. 

Theorem 17. Let {Af, mo) be a lim-live and hounded continuous system. Then, 
Af is consistent, conservative and rank(C) < |SEQS| — 1. 
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Other structural elements that are useful in the analysis of lim-liveness are 
siphons. A siphon is a set of places, P” , such that C P"*. Observe that an 
empty siphon cannot be marked. Hence, a necessary condition for lim-liveness is 
that no marking can be reached in which a siphon is empty. In Q the conditions 
for a set of places being a siphon were stated as the solutions to a set of linear 
inequalities: A set A C P is a siphon of Af iff y > 0 exists such that ||y|| = E 
and y ■ Cs > 0, where Afs = (P, T, Prei;, Post) is such that Prei;[p, t] = 0 
iff Pre[p, t] = 0, and Vves[p,t] > Post[p', t], otherwise. If lim-RSc = 

LRSc, the absence of a marking in which a siphon is not marked can be checked 
using a system of linear inequalities: 

Theorem 18. Let {Af, mo) be a consistent P/T continuous system. If a solution 
of the following system of inequalities exists, the system is not lim-live. 



m = mo -f C • cr > 0 
y • Ci; > 0 
y • m = 0 
y >0 

<T > 0 

In discrete systems there exists a symmetry between traps and siphons (a 
trap is a set of places, P', such that P'* C *P'), in the sense that marked 
traps cannot be emptied and empty siphons cannot be marked. This symme- 
try is lost in continuous systems if lim-reachability is considered, because al- 
though an empty siphon cannot become marked, a trap can be emptied. For 
instance, in Figure^ {pi,P2,P3,Pi} is a trap, that is emptied by the firing of 
tit2 ^t^^ti^t2 \t^\t4.^t2 5^35^45^2 ■■ ■ This means that traps cannot be used to 
improve the description of the reachability conditions given by the state equation 
as in discrete systems 





Fig. 7. A live system and its LRG. 
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5.5 Particular Results for Some Subclasses 

As usual, the results obtained in the general frame of continuous systems can 
be improved if we restrict to selected subclasses. We concentrate here on two 
subclasses: EQ nets and FC nets. 

First, it can be seen that lim-liveness and lim-deadlock freeness coincide in 
bounded and strongly connected EQ systems, as happened with their discrete 
counterparts. 

Theorem 19. Let (Af, mo) be a bounded, strongly eonnected, eontinuous EQ 
system. It is lim-live iff it is lim-deadloek-free. 

Proof. Assume (A/", mo) is not lim-live. Then, a transition t and a marking m G 
lim-RSc(A/’, mo) exist such that for every m' G RSc(A/', m) the enabling of t is 
zero. Let p G *t. All the transitions in p* are in equal conflict relation, hence 
none of the output transitions of p fires again. The system is bounded, therefore 
a sequence of markings exists such that for their successors the enabling degree 
of the input transitions of p converges to zero. Applying the Bolzano- Weierstrass 
theorem, a convergent subsequence of markings exists. Neither t, nor any input 
transition of p is enabled at the marking reached in the limit, and they will never 
be enabled again. Repeating the reasoning, since the net is strongly connected, 
and the number of transitions is finite, we finally reach a marking in which no 
transition is enabled. □ 

In discrete EQ systems the rank theorem is a characterization of str. live- 
ness and str. boundedness ^3- For continuous EQ systems this result can be 
improved: a characterization of lim-liveness and boundedness can be obtained 
analogous to the one that exists for liveness and boundedness of discrete FC 
systems Q. This provides a simple, polynomial time, way to prove lim-liveness 
of EQ systems: 

Theorem 20. Let {Af, mo) be a eontinuous EQ system. The following eondi- 
tions are equivalent: 

1. The system is lim.-live and bounded. 

2. The system is consistent, conservative, rank(C) = |SEQS| — 1 (or, equiv- 
alently, it is str. bounded and str. live as discrete) and the support of every 
P-semiflow is marked, i.e., ^ y > 0 such that y • C = 0, y • mo = 0. 

Proof. For “1=^>2” , applying Theorem^J and the characterization of str. liveness 
and str. boundedness for EQ nets Q, the net must be consistent, conservative 
and rank(C) = |SEQS| — 1. Assume a P-semiflow, y, exists that is not marked. 
Then, for every reachable marking, m, y • m = y • mo = 0, i.e., none of the 
places in ||y|| can ever be marked. Hence, their output transitions cannot be 
fired, contradiction. 

For “2=>1”, if (Af, mo) is not live, it deadlocks (Theorem Let m^ G 
lim-RSc(A/', mo) be a deadlock. Then, for every transition t, a place p G *t 
exists such that md[p] = 0. This set of places contains the support of a P- 
semiflow it is not marked, contradiction. □ 
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The properties of EQ systems allow to extend to lim-liveness and bound- 
edness a sufficient condition for (discrete) str. liveness and str. boundedness Q. 
The idea is to transform the system into an EQ system, and apply the results 
of this class. More specifically, each coupled conflict set is transformed into an 
EQ set. The coupled conflict relation is defined as the transitive closure of the 
str. conflict relation, where t and t' are in str. conflict relation iff n ^ 0. 
The set of all the equivalence classes is denoted by SCCS. We skip the proof, 
since it is analogous to the one given in Q for the discrete case. 

Theorem 21. Let Af be eonsistent, eonservative and rank(C) = |SCCS| — 1. 
Then, Af is str. lim-live as a eontinuous net. Moreover, any marking that marks 
every P-semiflow makes the system lim-live. 

In strongly connected str. bounded EQ systems str. lim-liveness is equiva- 
lent to (discrete) str. liveness, though not in general to str. e-liveness (see Fig- 
ureH(a)). For strongly connected str. bounded EC nets a stronger result holds: 
(discrete) str. liveness, str. e-liveness, and str. lim-liveness are equivalent. 

Theorem 22. LetJ\f be a strongly eonneeted, str. bounded FC net. The following 
eonditions are equivalent: 

1. Af is str.lim-live. 

2. Af is str. e-live 

3. Af is str. (diserete) live. 

Proof. “(1)=4>(2)” is proven in Theorem ^Jand “(3)^(1)” can be deduced from 
Theorem 

For “(2)=J>(3)”, assume Af is not str. live and let mo be such that {Af, mo) is 
e-live. We can assume w.l.o.g. that mo G The system is not live as a discrete 
system, hence it deadlocks, i.e., a sequence aj. exists such that mo-f^m^ and 
no transition is enabled at m^. Then, for every transition t a place p G *t exists 
such that md[p] = 0. The same sequence can be fired if the system is considered 
as continuous, and clearly it also leads to a deadlock, contradiction. □ 

6 Conclusions 

A common practice in many fields in which systems with large state spaces ap- 
pear is to relax the description by dropping integrality constraints on the state 
equation. Moreover, there are systems in which discrete parts are mixed with 
other parts, that are more naturally represented as continuous. In P/T systems 
this idea has led to the definition of continuous and hybrid P/T systems. Some 
of these models incorporate a continuous part by means of algebraic differential 
equations QQ, others allow non integer markings in some places QQ (see Q 
for a comparison of different approaches through the modelling of a benchmark 
example). This latter approach is the one that is considered here, although with 
one main difference, we study autonomous models, i.e. without any timed inter- 
pretation. 
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The basic definitions of P/T systems are extended to the continuous case in 
Section n allowing real non negative markings, and the firing of transitions in 
any real non negative amount. An immediate consequence of the possibility of 
firing transitions in non discrete amounts, is that the behavior of a continuous 
system does not change if the initial marking is scaled. This does not happen 
in discrete systems (for instance, a discrete system may be deadlock-free with a 
certain marking, and deadlock if the initial marking is doubled) . This means that 
monotonicity of the properties w.r.t. scaling, which is not basic for the study of 
discrete systems, is a must if we want the continuous view to be coherent with 
the discrete one. In other words, a system should not be studied as continuous 
if the exact amount of tokens is so important to determine its behavior. 

The relaxation of the notions of marking and firing, allowing positive real 
numbers, is quite intuitive. However, the extension of reachability is not so im- 
mediate. This concept is central for the eventual analysis of logic properties of 
the modeled systems, but it has not been properly investigated before. In this 
paper two possible definitions of reachability have been introduced, and their 
analysis explored. 

With the first notion of reachability, the idea of a finite sequence of firings 
is preserved. Some examples are presented in Section^ showing that with this 
definition of reachability the behavior of continuous and discrete systems can be 
completely different. The second notion, introduced in Section^ allows infinitely 
long firing sequences, leading to the concept of limit reachable markings. 

Another difference w.r.t. the discrete case is that in continuous systems the 
set of reachable markings is a convex set, independently of which reachability 
definition is considered. Apparently, deciding whether a certain marking is reach- 
able or not, when the firing is not restricted to be integer, is more difficult than 
in the integer case. However, under the limit reachability definition, in most 
practical cases the set of reachable markings coincides with the solutions of the 
state equation. 

Liveness and deadlock-freeness are studied in Section ^ Two definitions of 
liveness, e-liveness and lim-liveness, and the corresponding two definitions of 
deadlock-freeness, have been introduced, each one associated to one of the def- 
initions of reachability. These two continuous liveness definitions and the dis- 
crete liveness definition are compared. As a result it is deduced that in bounded 
systems lim-liveness implies e-liveness and (discrete) str. liveness. For bounded 
strongly connected EQ systems, this result can be improved: str. lim-liveness and 
discrete str. liveness coincide. Moreover, they are also equivalent to e-liveness in 
the case of FC systems. These relations among discrete and continuous liveness 
definitions allow to obtain two necessary conditions for lim-liveness and bound- 
edness, and a sufficient one, which are analogous to the ones that exist in the 
discrete case. 

From our experience after this work, we conclude that although both def- 
initions of reachability are interesting, limit reachability seems to be specially 
convenient. On the one hand, the idea of treating very small quantities as zero is 
reasonable if continuous systems are considered as an approximation of discrete 
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systems. On the other, the simple representation of the lim-RSc in most practi- 
cal cases (the solutions of the state equation) offers a clear advantage w.r.t. the 
RSc, for which there seems to be no simple way to deduce whether a certain 
marking can be reached or not. However, further investigations about how to 
extend other properties of discrete P/T systems should be done before making 
a choice. 
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Abstract. The ODP Trader provides a match-making service for Objects in an Open 
Distributed System. In previous work, a model of the Trader was created using 
Coloured Petri Nets, incorporating its capacity for standalone and co-operative 
Interworking amongst multiple Trader instances . In this paper, the CPN model of the 
Trader is analysed using Equivalence Classes (for Occurrence Graph reduction) when 
the Trader is configured as a standalone entity servicing multiple requests 
concurrently. The Trader is also analysed in a number of interworking scenarios 
which are, in turn, used for reasoning about complex Trader interworking topologies. 

Keywords: ODP Trader; Interworking; Coloured Petri Nets; Scenario Analysis 

1 Introduction 

Trading [1] is an information infrastructure service which allows software entities to advertise, or 
export a service or resource to a trusted third party, known as the Trader. The service or resource being 
exported usually has properties associated with it, which may be static or dynamic. The Trader 
maintains a database of exported services which includes the type of service being advertised and its 
associated properties. 

With the possibly widespread use of Traders, it is important that the Trading standard is error-free and 
unambiguous. It is also important to ensure that the Trader is as efficient as possible, especially when 
interworking with other Traders. 

In order to engineer reliable Open Distributed Systems, there is a need for formal modelling 
techniques. Such techniques must be capable of capturing the essence of a system in a manner which is 
readable and moreover, utilise a mathematical basis that allows the system to be formally analysed. 
One way to ensure correctness of the Trader is to create a formal model which can be analysed to verify 
that the model behaves as expected under all conditions. Coloured Petri Nets (CPNs) [2] are a 
formalism which has been developed for modelling and analysis of concurrent systems. In this paper, 
we outline an approach for analysis of a CPN model of the Trader (a distributed software entity) and 
aim to verify its correctness. 

2 The Trading Function 

Trading is a fundamentally important part of the realisation of Open Object-based Distributed 
Systems (OOBDS) and has been the topic of standardisation by the International Organisation for 
Standardisation (ISO), the International Electrotechnical Commission (lEC) and the International 
Telecommunications Union (ITU-T) as part of their work on the Reference Model for Open 
Distributed Processing (RM-ODP) [3]. 

The RM-ODP Trading standard was developed to facilitate the dynamic location of resources or 
services, such as for example, a printing service in an OOBDS. It has been included as a Common 
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Object Service (COS) in the Object Management Group’s (OMG) Common Object Request Broker 
Architecture 2.0 (CORBA) [4], a well-known Middleware Specification. 

2.1 Basic Trading Entities 

There are three main entities involved in the trading function, namely, the Exporter, Importer and the 
Trader itself. The sequence of interactions between these entities is shown in Figure 1 [6]. 




Fig. 1. Sequence of Interactions between Exporter, Trader, and Importer 

1 . Service Export: The Trader receives a service export from the Exporter. This request includes a 

description of the service, a location at which the service may be accessed, properties of the 
service and optional selection criteria. The service interface’s type and associated properties are 
checked with a Type Repository to ensure legality. Details of the exported service are then stored 
in a database. 

2. Import Request: The Trader receives a service import request (or Query) from a client. This 
request includes the type of service required, a list of desired attributes and optional selection 
criteria. The Trader checks with the Type Repository to ensure that the requested service and 
properties are legal. 

3 . Import Reply: The Trader searches its database of exported services and returns any successful 
matches after applying optional selection criteria. 

4. Service Invocation: If a match is found, the Importer contacts the Exporter independently of the 
Trader to utilise the service. 

5. Service Reply: The Exporter replies to the Importer’s service request. 

An example of a service that may be exported is an e-mail application, that allows software entities to 
e-mail data. This service could be utilised by a migrating software entity that must e-mail the results of 
searching activities to its owner. Since the entity does not have afixed location, it must locate a suitable 
server object as it moves. By utilising the Trading service, the entity is able to locate a server by 
specifying the required service type and important service attributes such as for example, the ability to 
send binary files. 

2.2 Links 

The Trader uses links to other Traders for interworking. A link contains the following information [ 1 ] : 

• unique Link name, 

• the Lookup Interface of the Trader being linked to (used to send Queries), 
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• the Register Interface of the Trader being linked to (used to Register services), 

• a default link follow behaviour policy, 

• limiting link follow behaviour policy. 

A link follow behaviour policy can take one of the following values: 

• local_only: restricts the Query to being processed by the local Trader only. (It is not 
permitted to forward the Query to linked Traders), 

• if_no_local: limits the Trader to local processing except in the case where there are no 
local matches to the Query. In this situation, the Trader is permitted to forward the Query 
to linked Traders, or 

• always: permits the Trader to forward Queries to linked Traders. 

These behaviour policies are listed from weakest to strongest and can be used to restrict the 
propagation of requests to linked Traders. This ordering makes it possible to calculate the smallest or 
minimum behaviour from a set of behaviours. This is important when multiple policies are compared 
as in the following examples: 

min (always, if_no_local, local_only) = local_only 
min(always, if_no_local, always) = if_no_local 

The Trader uses min ( ) and merged_policy_options ( ) to unify its Link follow policy with 
those of the Query and the Link. The Lookup and Register interfaces are references to the respective 
interfaces of the Trader being linked to. The default follow behaviour policy is used when the 
importer’s Query does not specify a follow behaviour. The limiting follow behaviour is the strongest 
follow policy that the link will allow when forwarding queries to the Trader associated with the link. 

2.3 An Improved Interworking Protocol 

There are a number of ambiguities and areas requiring optimisation in the Trading standard’s 
specification of the interworking protocol [1]. The protocol ensures that infinite looping of Queries 
cannot occur but does not achieve this goal efficiently. In particular, the following aspects require 
further clarification: 

• bi-directional Trading links result in wasteful Query propogation. 

• the standard does not prescribe what happens when a duplicate is detected. It only states 
that the Query is not “processed”. Does this mean that duplicates should be ignored? 

• the standard does not ensure deterministic traversal of all linked Traders. This means that 
under certain circumstances, a Query with the same parameters may return a different list 
of matching Offers. 

A product of the Modelling exercise was identification of these ambiguities and suggestion of 
alternative policies to address the issues identified. It was proposed to: 

• no longer allow Queries to be propagated back to the Trader from which it came (in the 
case of a bi-directional link). 

• return a null list of matching local offers when processing duplicate Queries (avoids 
deadlock), 

• propagate duplicate Queries to all linked Traders when the duplicate Query has a larger 
hop_count than when it was processed before (ensures a deterministic traversal of the 
Offer Space). 

See [7] for a more detailed discussion of the Trader interworking protocol ambiguities and proposed 
solutions. 
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3 CPN Model of the Ti*ader 



Using Design/CPN® [5] , a hierarchical model of the Trader was created containing 1 7 pages of CPNs 
(containing 109 places and 52 transitions) and 1200 lines of CPN/ML code (for defining colour sets 
and functions). In the CPN model, the Trader included functionality to allow Offers to he added to the 
Offer Space (export), Offers to he matched from the Offer Space (import) and concurrent processing of 
multiple Queries (multi-threading). Objects (such as the Trader, Importer and Exporter) were 
modelled using a hierarchy of pages and use message-passing via interfaces and the Comms_Medium 
shared place to communicate with each other. 

The Trader Environment page (Trad_Env#2), shown in figure 2, is the highest page in the model. It is 
used to model the object instances in the system, where each instance is represented by a hierarchical 
substitution transition (denoted HS). The sub-page associated with each substitution transition is 
shown in a nearby box. When multiple instances of objects are in the system, each instance refers to an 
instance of the same sub-page, which has its own marking and hence, its own state. 



Trading Environment 




Fig. 2: Trading Environment (Trad_Env#2) 



The Trader object is modelled on Trad_Int#3 (figure 3) as a group of interfaces which are connected to 
the Comms_Medium and also to functional operations (methods). The Trader’s interfaces are 
grouped into three major categories: Functional, Inter-Object axidAbstract. Functional interfaces are 
provided by the Trader to its clients and provide an interface to the Trading function’s basic services. 
Inter-object interfaces are used by the Trader when communicating with the LinkSpace and 
OfferSpace objects (utility objects in the model). The Abstract interface provides clients with a means 
for inspecting Trader attributes. 

Due to space limitations, a detailed presentation of the CPN model of the Trading Environment cannot 
be presented here. However, for more information, the reader is directed to [7,8] for a complete 
discussion of the model. 
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Trading Interfaces 




4 Approach to Analysis of the Trader Model 

Having given a (very brief) outline of the CPN model, we now concentrate on analysing the model, 
with special emphasis on the interworking of Traders. Analysis of the CPN model of the Trading 
Environment aims to show the following: 

1 . correct operation of a Trader which does not interwork (standalone) processing a single 
Query. 

2. correct operation of a standalone Trader with multiple concurrent Queries (internal 
multi-threading) . 

3. correct operation of multiple Traders operating concurrently and independently. 

4 . identify and ensure correct behaviour for all stopping eonditions required for Query 
propagation. 

5. analysis of complex Trading Environment configurations. 

4.1 Occurrence Graph Analysis 

When the model successfully completed scenarios in the simulator, the next step was to perform 
Occurrence Graph (OG) Analysis. When analysing the Trader model (which possibly contained 
modelling errors that result in huge OGs), the technique adopted for generating OGs was a 
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combination of breadth-first and subsequent depth creation of the OG. By altering the OG generation 
branching factor viaDesign/CPN’sOGSet . BranchingOpt ions function, it was possible to limit 
to 1 , the number of bindings and transition elements considered when generating nodes in the graph. 

In practice, this meant that for an initial period of time, the OGA tool was directed to generate the OG 
breadth first. This provided a large number of markings that were reached from the initial marking and 
could be subsequently investigated through depth-based generation of the OG. Utilising a 
hreadth-based followed by depth-based generation of the OG made it possible to quickly narrow in 
on a final terminal marking which should be reachable from all nodes in the OG. 

With models that are expected to terminate in the same state after all simulation runs, the OG contains a 
single dead node (terminal marking). This is because all of the paths that lead from the first marking of 
the model (node 1 in the OG) eventually reach the dead node. This node is also a home marking [2] 
since it can be reached by all other reachable markings. If the OG contains a single dead node and its 
marking is correct (based upon expected behaviour for the scenario), then the scenario has been 
verified. 

Since the aim of the OG analysis of the model is to detect all of the dead nodes in the OG (although a 
single dead node is expected), this technique increases confidence in the model since dead nodes are 
calculated much earlier. Even though not all nodes have been calculated, the fact that all paths that Aave 
been calculated lead to the same dead node is a promising sign. If there is more than one dead node in 
the OG after using this technique, then it is safe to assume that the model is flawed. It is then possible to 
investigate the bindings and transitions that resulted in obtaining multiple dead nodes, which in turn 
leads to the cause of the modelling error. 

When analysing the Trader, it became evident that modelling errors related to distinguishing between 
tokens within threads allowed state information of threads to become confused. This manifested itself 
when tokens belonging to a given thread were used by a different thread. In this situation, both threads 
became corrupted and the model ceased to function correctly and thus, the resulting OG contained 
more than one terminal marking (determined by the standard CPN/ML library function 
ListDeadMarkings ( ) ). 

Simulation runs were less capable of finding these errors since, in most cases, they did not test the case 
where concurrent requests are at the same stage of processing within the model, the source of most 
errors. OG analysis of the model was much quicker and more effective at detecting concurrent thread 
modelling errors. 

4.2 Occurrence Graphs with Equivalence Classes 

To allow processing of multiple Queries concurrently (multi-threading) the CPN Trader model 
utilises a unique transaction identifier ( t_i d ) which is associated with each Query as it is processed. 
When processing multiple Queries, it is possible for Queries to arrive in any order (2 ! possibilities with 
2 Queries, and 3! with 3 Queries). This means that there are multiple paths through the OG which 
represent the same Trading behaviour (but use a different value for the Query transaction identifier). 
Having transaction identifiers allows the Trader to differentiate between tokens that are used by 
multiple threads of execution, but the threads operate in exactly the same way irrespective of the 
unique transaction identifier’s value. 

As demonstrated in [9], it is possible to use OGs with equivalence classes (OEOS) [10] to reduce the 
size of an OG. The same technique can be applied when analysing the Trader model presented in [7], 
where Equivalence Classes are used to map out the t_ids used by Traders when servicing multiple 
requests concurrently. This can greatly reduce the size of the OG because t_ids are assigned to 
Queries on a first-come first-served basis whilst the arrival order of Queries is non-deterministic. 
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Without using Equivalence Classes, the resulting OG includes nodes representing use of different 
t_ids for each Query, which enlarges the size of the OG without providing extra analytical benefit 
(since the value of a Query’s t_id must be unique within the Trader, but its value is unimportant). 
Thus, Equivalence Classes can be used when generating an OG to detect markings that are equivalent 
and to represent them using a single node in the OG, thereby reducing its size. 

Projection functions (EquivBE ( ) andEquivMark ( ) ) which map out the t_id from tokens (such 
as those of colour set Message and Op_Data) were created. Using these functions, the OEOS tool was 
used to calculate reduced Equivalent OGs for scenarios that included concurrent Query servicing by a 
Trader. However, the projection functions were not created to map out Trader object identifiers. 

5 Analysis of a Trader Configured as a Standalone 

A fundamental step in the analysis of interworking Traders is the analysis of a Trader which is 
configured to be a standalone Trader. This means that the Trader does not interact with other Traders 
when processing a Query. The analysis must include all permutations of relevant initial conditions and 
the servicing of multiple requests by concurrently executing threads of control. In order to verify the 
correct operation of the Trader ’ s Query operation as a standalone entity, the model must include at least 
one instance of the following objects: Trader, Importer, OfferSpace and LinkSpace. For analysis of the 
Export operation, an Exporter must also be included in the model. 

5.1 Single Non-threaded Trader Query 

A single non-threaded Trader is the simplest of scenarios in which the Trader has a single Query to 
service and does forward the Query to linked Traders. This scenario is shown in figure 4, where an 
Importer is represented by a dashed circle containing an I, and the Trader is represented by a circle 
containing a T and an instance identifier (1 or 2). When analysing a standalone Trader, it is possible 
that the Query is not propagated to linked Traders due to policy limitations rather than a lack of links to 
follow. This is shown in figure 4, where a dashed link from T1 to T2 exists but is not pursued by the 
Query (shown as a dashed arrow). Note that verfication of theTrader’s Export functionality is 
presented in [7] but is omitted here due to space limitations. 

OG analysis of the Trader can be used to verify that the Trader successfully performs a Query operation 
and always finishes the Query with exactly the same marking. This marking should indicate that: 

• a response to the Query containing matching offers associated with all Traders visited by 
the Query was received by the Importer, 

• all objects are in a clean state (no unexpected tokens remain in an object’s CPN). 

All possible permutations of the stopping conditions need to be considered when verifying the 
scenario in figure 4. To ensure that the model behaves correctly under all conditions, each of the 
possible return values for merge_policy_options ( ) must be used with: 

• hop_count = 0 and hop_countoO and 

• links available = 0 and links_availableoO 

Table 1 shows the results of OG verification for each of the scenario permutations when the number of 
available links= 0 (i.e. the LinkSpace object returns an empty list of links). Two unique behaviours 
were identified in the scenarios, resulting in two classes of OG (A,B). 

Table 1 shows that the model displays identical behaviour when the unified policy=local_only 
and when the hop_count = 0 . This behaviour is denoted as type A. For combinations which resulted 
in a type A OG, the Trader did not issue a request to the LinkSpace object to ge t_l inks (since the 
Query does not need to be propagated), resulting in a small OG (20 nodes). 
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In contrast, combinations resulting in type B OGs did contain a reference to the LinkSpace object to 
get_links. This is expected since when merged_policy_options ( ) = 
if_no_local or always, the Trader needs to get links from the LinkSpace object, regardless of 
whether the links are subsequently used or not. This depends upon the results obtained from a local 
search of the OfferSpace and the link’s follow policy. 

Table 1 - Comhinations of hop_count and follow_option for links=0 



Available links=0 


merged follow_option 


local_only 


if_no_local and 
local_match=true 


if_no_local and 
local_match=false 


always 


Query hop_count 


= 0 


A 


A 


A 


A 


<>0 


A 


B 


B 


B 



A: Nodes=20, Arcs=21 Full OG. Simulation = 20 steps 
B: Nodes=75, Arcs=122 Full OG. Simulation = 26 steps 

It follows that combinations resulting in type A OGs are not affected by changing the number of links 
associated with a Trader because the links are never obtained. Thus, only combinations resulting in 
type B OGs need to be investigated further when the number of links available is non-zero, as shown in 
Table 2. 

Table 2 - Combinations of hop_count and follow_option for linksoO 



Available 






merged 


follow_option 




linksoO 




local_only 


if_no_local and 
local_match=true 


if_no_local and 
local_match=false 


always 


Query 


= 0 


N/A 


N/A 


N/A 


N/A 


hop_count 


oO 


N/A 


C 


link search 


link search 



C: Nodes=85, Arcs=140 Full OG . Simulation = 28 steps 

When themerged_pol icy_opt ions ( ) =if_no_local, the hop_counto0, a local match 
to the Query is found and there are links to follow, the Trader exhibits a third behaviour denoted C. 
This behaviour is observed because the Trader obtains links from the LinkSpace object and performs a 
local offer space search which results in a matching offer, thereby signalling that the search is not to be 
propagated further. Some combinations with non-zero links result in the Query being propagated 
along a link (marked as link search) which is beyond the scope of analysis for a standalone Trader (see 
section 7). 

The Trader processes if_no_local requests with an extra two transition occurrences when 
compared with type B behaviour. The Trader aborts searching linked Traders when it determines that 
the local search resulted in a successful match. Since behaviour C exhibits two more transition 
occurrences than behaviour B, it has a larger OG. 

ByusingCPN/ML’sListDeadMarkings ( ) function call,itispossibletoverifyforeachOGthatit 
contains a single terminal marking. This means that the model reaches a single conclusive state whose 
marking may be checked to ensure that it is the expected terminal state of the model. 

At this point, the Trader’s behaviour has been verified for all possible permutations of its controlling 
parameters and this result can now be used as a building block for further verification. 
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5.2 Single Trader with Concurrent Request Servicing 

There is a need to verify that multiple concurrently executing threads within the Trader do not interact 
in an undesired manner. Since there is a high degree of internal concurrency within the Trader itself, 
applying Occurrence Graphs with Equivalences reduces the size of the model’s OG by mapping out 
the t_id field inside tokens. This field is used by the model to distinguish tokens belonging to 
different threads. The identifier associated with a thread depends upon the order in which it is 
processed. This is a non-deterministic property of the model and is mapped out by the Equivalence 
relation used in the Design/CPN OEOS tool [5]. 

In figure 5, the Trader is sent two Queries (Query 1 and Query 2) by two Importers (II and 12). These 
requests are generally for different services, although this is not critical for the verification of 
independent concurrent service processing. It is also possible that the two Queries originate from the 
same Importer (e.g. II), rather than from two Importers. 




Fig. 4. Trader servicing a single Query Fig. 5. The Trader services multiple Queries 

concurrently 

In section 5.1, three fundamental standalone Trader behaviours were identified ( A, B and C) . When 
verifying that the Trader can service multiple Queries concurrently, it is important to test all possible 
combinations of Trader behaviours. Having identified the three fundamental Trading behaviours, 
only combinations of behaviour A,B and C must be investigated. The following combinations have 
been identified: 

Queryl=A, Query2=A or Queryl=A, Query2=B or Queryl=A, Query2=C or 
Queryl = B, Query2 = B or Queryl=C, Query2=C 

Thus, when a Trader services a type A Query, it displays behaviour of a type A OG. Similarly, 
servicing a type C Query will result in a type C OG. Table 3 shows the number of steps required for 
simulation runs using different combinations of concurrent Queries that are processed by a standalone 
Trader. Due to symmetry, some of the scenarios are redundant since they are already included in the 
table. 

In order to display type B behaviour, the Trader must not have any links available, whereas type C 
behaviour requires the Trader to have at least one link available in the LinkSpace object. Thus, it is not 
possible for a Trader to service a type B Query at the same time as a type C Query since they are 
mutually exclusive (Mut-Ex). 

The simulation step values in Table 3 are as expected, based upon the number of steps required to 
simulate single type A, B and C behaviours (calculated in section 5.1). e.g., 

A concurrent A = 20+20 =40, A concurrent C = 

B concurrent B = 26+26 = 52 



20 + 28 



48 
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Table 3 - OG/OEOS size and simulation steps for Single Trader Concurrent Queries 



Concurrent 




Query 1 


Behaviours 




A 


B 


C 


Query 2 


A 


Nodes=680 (399) 
Arcs=1284 (773) 
Secs=ll (5) 

40 steps 


Redundant 


Redundant 




B 


Nodes=2630 (1547) 
Arcs=6756 (3954) 
Secs=74 (26) 

46 steps 


Nodes=10124 (4274) 
Arcs=32820 (13163) 
Secs=507 (97) 

52 steps 


Mut-Ex 




C 


Nodes=2992 (1753) 
Arcs=7740 (4516) 
Secs=89 (29) 

48 steps 


Mut-Ex 


Nodes=13104 (4096) 
Arcs=42956 (12323) 
Secs=653 (91) 

56 steps 



In addition, table 3 also provides statistics for standard OGs (no eqiuvalance classes used) and OGs 
using Equivalance Classes (in bold) for each combination of concurrent Query types. For each OG 
described in Table 3 , there is a single terminal marking which corresponds to successful termination of 
the concurrent Queries. 

The result for two concurrent A Queries is expected since for each in Query A there are 20 different 
possible states for Query A’, resulting in 400 different states. The terminal marking of this example 
combines two of the states into one, resulting in 399 states using Equivalence Classes. OEOS analysis 
resulted in significantly smaller OGs whilst still detecting the single terminal marking in each case. 

5.3 Summary 

In this section, the Trader’s most basic functionality has been verified, where a single Query and 
concurrent Queries are processed by a standalone Trader. All of the possible stopping criteria were 
used in the verification and it was found in section 5.1 that the Trader’s behaviour was identical when 
hop_count = 0 and merge_policy_option ( ) =local_only (type A OG). 

The three unique behaviour types may be summarised as: 

A: The Trader does not attempt to get its links, 

B: The Trader gets its links but finds that there are no links to pursue, 

C: The Trader has a unified policy of if_no_local, obtains valid links from the Link- 

Space object but does not send the Query to linked Traders because it also obtains a local 
OfferSpace match to the Query. 

In section 5.2, a single Trader was configured in scenarios to concurrently service each of the basic 
behaviour pairs. This showed that the Trader is capable of servicing all types of Queries concurrently 
without exhibiting undesirable behaviour (deadlock). The results presented in this section will now be 
used for further analysis of multiple independent Traders in following sections. 

6 Analysis of Multiple Independent Traders 

In section 5 , the basic standalone Trader functionality was verified for all permutations of parameters 
(policies, links and offers), thereby testing all standalone Trader stopping conditions for single and 
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concurrent Query processing. In this section, the previous result is used to verify the correct operation 
of multiple Traders operating independently but concurrently in the same system. 

6.1 Multiple Autonomous Objects 

It is important to verify that the model can contain multiple autonomous entities which do not 
“interfere” with each other. An abstract model of concurrent independent Traders is shown in figure 6, 
where Traders (T1 and T2) service 2 Queries independently. 

Since there is no internal thread concurrency within the Traders, there is no benefit to be obtained by 
using OEOS to generate the OG. Using the OGA, it was found that there were no deadlocks since a 
single dead node was observed in the OG (table 4). The single terminal marking in the OG indicates 
that for all possible behaviours, the model always terminates in the same desirable state. 

In section 5.1, it was shown that when issued as the sole Query to a standalone Trader, OGs for 
servicing of Type A, B and C Queries all contained a single terminal marking. In this section, it has 
been shown that combinations of Query types can be serviced concurrently by two independent 
Traders. 

Thus, it has been shown that the model is capable of allowing multiple instances of Traders to operate 
independently and concurrently. This result may appear intuitive, but it ensures that the CPN model of 
the Trader does not allow any hidden interactions between Traders when there are multiple Trader 
instances operating concurrently. 

Table 4 - OG size for Multiple Traders 



Concurrent 




Trader 1 Query 


Behaviours 




A 


B 


C 


Trader 2 Query 


A 


Nodes=437 

Arcs=828 

Secs=2 


Redundant 


Redundant 




B 


Nodes=1547 

Arcs=3954 

Secs=37 


Nodes=5429 
Arcs= 17376 
Secs=142 


Mut-Ex 




C 


Nodes=1753 

Arcs=4516 

Secs=43 


Mut-Ex 


Nodes=6969 

Arcs=22584 

Secs=161 



6.2 Multiple Autonomous Threaded Objects 

The final step in the basic verification of the Trader is to verify that the model can accommodate 
multiple Trader instances that are autonomous, operate concurrently and independently and can 
service multiple requests concurrently. This will be accomplished using the results from previous 
sections. 

In section 5.2, it was verified that the Trader model was capable of successfully servicing multiple 
Queries concurrently. Section 6.1 showed that the model is capable of containing multiple 
independent Traders. Using these two results, it can be deduced that the model allows multiple 
independent Traders to operate concurrently (from 6.1), where each Trader is able to service multiple 
Queries concurrently. This is shown in figure 7. 

This result is significant because it allows complicated Trading scenarios to be broken down into more 
manageable independent concurrent activities which can be verified individually. Since it has been 
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shown that multiple concurrent Traders do not interact in unexpected ways, it is possible to break 
down complicated scenarios into a number of simple scenarios which operate concurrently but 
independently. This result will be used when verifying more complex interworking Trader scenarios 
in section 7.5. 




Fig. 6. 2 Traders and 2 independent Queries 
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Query 
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Fig. 7. 2 Traders and 4 independent Queries 



7 Analysis of Interworking Traders 



To verify the interworking of Traders, it is necessary to create a series of scenarios in which multiple 
traders interact. These scenarios will verify a set of Query stopping conditions which can be used to 
verify that forwarded Queries always terminate. The analysis also ensures that the model does not 
contain livelocks or deadlocks. The analysis builds upon the results of the previous sections and aims 
to verify the interworking of m Traders, each of which is capable of servicing n requests concurrently, 
where n and m are positive integers. 



7.1 Recursive Definition of Interworking Traders 

When a Query is propagated to linked Traders, the forwarded Query is a slightly modified version of 
the initial Query since it has a smaller hop_count and possibly, a different f ollow_policy. A 
propagated Query is serviced by a different Trader using the same type of interface, but the Query has 
slightly different parameters to those of the initial Query. This resembles a recursive situation in which 
a function calls itself many times with different parameters until it reaches a point at which it no longer 
calls itself. At that point, it retraces its path through the recursive function calls until it reaches the initial 
call and returns its result. 

According to Garland [ 1 1 ] , a recursive problem must meet two requirements if it is to solve a problem 
successfully. They are: 

• any invocation of a recursive sub-program from within its own definition must solve a 
problem simpler than the one used when the program was first invoked, 

• there must be some instances in which the recursive sub-program does not invoke itself 
recursively (stopping conditions). 

A recursive approach to algorithms is common-place in functional programming languages such as 
SML, because it allows a small function to re-call itself until the problem has been solved. It is 
considered that Traders do the same thing when they interwork, since a Query is continually broken up 
into smaller, more easily processed elements which are forwarded to linked Traders. Each such Query 
should eventually reach a point at which it is no longer propagated and the Query trail is re-traced back 
to the Trader which received the initial Query. 

The analysis of the Trader in this section exploits the recursive behaviour displayed by the Trader and 
combines it with a number of stopping conditions to verify that forwarded Queries always terminate. 
In addition, it will be shown that when an offer is propagated between Traders, its path through the 
Trading graph is deterministic. 
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7.2 Reducing the size of the Prohlem 

The Trader reduces the size of the problem (forwarding of Queries to linked Traders) in two ways. 
Firstly, it reduces by 1 the hop_count in a Query’s Import Policy when it is forwarded to linked 
Traders. It is also possible for the follow_policy of a Query to be reduced in strength as it is 
propagated, either by the Trader itself, or the link which the Query is following (i.e. from 
if_no_local to local_only). Using either of these two parameters, it is possible to limit the 
number of links the Query follows, thereby reducing the size of the problem. 

7.3 Interworking Query Stopping Conditions 

When modelling the Trader, the following six Query stopping conditions were identified. Each of the 
conditions have been modelled in an associated scenario as shown in Table 5. Avalid link is one that is 
not a reverse link back to the Trader from which the Query was received [7]. 

Table 5 - Scenario Stopping conditions 





hop_count=0 


total 

available 
links = 0 


merged 
policy = 
local_only 


merged 
policy = 
if_no_local 
but gets a 
local match 


total 

available 
linksoO 
but valid 
links = 0 


Query 
re-visits a 
Trader with 
a smaller 
hop_count 


Scenario 


1 


Y 


N 


N 


N 


N 


N 


2 


N 


Y 


N 


N 


N 


N 


3 


N 


N 


Y 


N 


N 


N 


4 


N 


N 


N 


Y 


N 


N 


5 


N 


N 


N 


N 


Y 


N 


6 


N 


N 


N 


N 


N 


Y 


Combined 


Y 


Y 


Y 


Y 


Y 


Y 



The scenarios are used to verify that a Query will stop being propagated when a specific stopping 
condition is met. The scenarios have been designed to ensure that only one of the stopping conditions 
is tested in each scenario except for the combined scenario which includes all of the stopping 
conditions (although some stopping conditions are tested more than once) . Analysis of these stopping 
conditions will be used later in section 7.5 to analyse a more complex Trading example. 



7.3.1 hop_count=0 (Scenario 1) 



This scenario verifies that a Query stops following links and returns a result (possibly an empty list of 
Offers) when its hop_c ount = 0 . This is a very simple stopping condition which is shown in figure 8 . 



/'“N 

( I F 



h c=2 




Fig. 8. Query stops when hop_c ount = 0 

The Query is sent by the Importer (I) with hop_count=2 and is processed by Trader I (Tl) which 
also forwards the Query to Trader 2 (T2) with hop_c ount = 1 . It processes the Query and forwards it 
to Trader 3 (T3) with hop_count = 0. T3 cannot forward the Query (since hop_count = 0) and 
thus, it processes the Query locally and returns matching offers to T2 and so on until the combined 
result of all the searching is returned to I. 
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The scenario verifies that even with a merged policy option of always and valid links to follow such 
as the link from T3 to Tl, (see section 7.3 .5 for an example of a non-valid link), the Query terminates 
after being serviced by T3. Table 6 contains statistics related to all the OG of scenarios presented in this 
paper. The marking of the single terminal node shows that the Query is propagated to T3 but is not 
propagated onwards to Tl since Tl serviced the Query when its hop_count = 2. 

Table 6 - Results of OG Analysis for Scenarios 



Scenario 


1 


2 


3 


4 


5 


6 


Combined 


Nodes 


2628 


758 


296 


844 


758 


16005 


5848 


Arcs 


6807 


1789 


535 


2015 


1789 


54337 


7485 


Seconds 


25 


6 


2 


7 


6 


182 


512 


Status 


FULL 


FULL 


FULL 


FULL 


FULL 


FULL 


PARTIAL 



7.3.2 Total available links=0 (Scenario 2) 



In this scenario the total number of links available to the Trader for forwarding of Queries is zero, as 
shown in the scenario model of figure 9. The two Traders are configured such that the 
limiting_f ollow_rule=always in all cases, and the Query hop_count starts with a 
non-zero value (arbitrarily chosen to be 2). However, the LinkSpace object is initialised so that it 
returns an empty list of links for T2 to follow. Thus, even though the Query hop_c oun t allows more 
hops to be made, the Query terminates after being processed by both Tl and T2. 



^ \ h_c=2 




Fig. 9. Query stops when there are no links to follow 



7.3.3 Unified Policy follow behaviour=local_only (Scenario 3) 

In this scenario (shown in figure 10), the Query stops after being processed by Trader 1 (T2) even 
though there are valid links to be followed and the Query’s hop_count is non-zero. The model 
performs a local search of the OfferSpace object since the request is unique, but T2’s links are not 
searched since merge_policy_options ( ) evaluates to local_only. 




Fig. 10. Query stops when unif ied_policy=local_only 



As with previous scenarios, the OG graph (see table 6) contained a single terminal marking which 
indicated that a matching offer from T2 was returned to 1. It also showed that the Query was not 
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forwarded by T2 to T3 even though hop_count = 1, and a legal link to T3 could have been followed. 
Instead, due to T2’s max_follow_policy value (local_only), the 
merged_policy_option ( ) equalled local_only, thereby terminating propagation of the 
Query to linked Traders at T2. 

7.3.4 Merged Policy=if_no_loeal, Local OfferSpace Search Is Successful (Scenario 4) 

The scenario shown in Figure 1 1 aims to verify that a Query stops being propagated at T2 when the 
Trader has a merged policy of if_no_local and a local match is obtained, even though there are 
legal links to pursue (from T2 to T3) and the Query’s hop_count is non-zero. This scenario is 
similar to the scenario described in section 7.3.3 except that T2’s 
max follow policy=if no local and thus, merge_policy_options ( ) returns 
if_no_local rather than local_only. 

not 

not used 



merged policy = if_no_local STOPPING POINT 

Fig. 11. Query stops with a local match and merged f ollow_policy=if_no_local 

An automatic simulation run of this scenario took 59 steps with the hop_count of the Query 
initialised to 2. OG analysis of the scenario is shown in table 6. A single terminal marking was 
obtained which indicated successful termination of the Query. 

7.3.5 Valid links to follow=0 (Scenario 5) 

This scenario (shown in figure 12) illustrates one of the modifications to the Trading standard’s 
interworking protocol [1] outlined in section 2.3. It is a specialised case of when there are no links to 
follow since the only link that exists is not considered valid according to the modified interworking 
protocol since it is a bi-directional link between Traders. 

nk is not 

STOPPING POINT 

Fig. 12. Query stops when there are no valid links to follow 

In the scenario, the Query has a hop_count = 2 and according to the unmodified Trading standard 
[ I ] , the Query should be propagated by T2 back to T1 . This is a redundant forwarding since the Query 
has already been processed by T1 with a greater value of the hop_count parameter than the Query 
which would be re-sent to it. There are no situations in which a greater Trading scope will be achieved, 
assuming a static Trading environment (links do not change often overtime). An automatic simulation 
of this scenario required 57 steps. 
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This protocol optimisation results in a significant reduction in the wasted processing by Traders and 
messaging bandwidth when interworking, since unproductive Trader queries and messaging is 
reduced. 

7.3.6 Revisit Trader with Smaller hop_count (Scenario 6) 

In the scenario shown in Figure 1 3 , a Query request is initiated by the Importer with a hop_c ount = 4 , 
and all policies are such that the Query is propagated successfully to all links. Since T3 is connected via 
a link to T1 when the Query’s hop_count = 1, the Query could possibly continue to be re-processed 
by Tl, and subsequently passed on to T2 at which point the hop_count would reach 0. Both of these 
propagation actions are redundant since the Query operation has already been processed by Tl and 
T2. Therefore, propagation of the Query is terminated at Tl because it is a duplicate Query operation 
whose hop_count is less than the previously processed Query operation. 




Fig. 13. Query stops when it re-visits a Trader 



7.4 Deterministic Traversal of the Offer Space 

As discussed earlier, the Trader’s interworking protocol as specified in the Standard is not 
deterministic. In this scenario (shown in figure 14), Tl receives the same Query from two sources, 
where each Query has a different value for hop_coun t . The order in which the Queries are processed 
is not deterministic and thus, either of the two Queries may be serviced first. Without also maintaining 
the Query ’shop_count parameter in the history of recenf interworking Queries, it is not possible for 
the Query from T4 to deterministically reach T2. This policy results in two terminal markings which 
correspond to: 

• when the T3 Query is serviced first and the T4 Query is rejected as being a duplicate, 
thereby returning an empty list of matching Offers, and 

• when the T4 Query is serviced first and manages to propagate to T2 where it obtains a 
matching Offer. 

Figure 1 5 simulates the scenario of figure 1 4 and focuses on Tl and T2’s behaviour, as indicated by the 
dashed ellipse in figure 14. Using initial markings, it is possible to simulate the effect of the Query 
having been serviced and propagated by T4 and T3. This reduces the size of the OG since it is not 
necessary to include the Query servicing of T4 and T3 in the analysis. 

A simulation of the scenario in figure 15 required 67 steps. An OG for the modified protocol which 
maintains the Query hop_count was calculated and its statistics are shown in Table 6. The single 
terminal marking showed an empty list of Offers being returned to T3 and a list containing a single 
matching Offer being returned to T4. This was expected since the OfferSpace object was initialised so 
that T2 would obtain a matching offer to the Query whereas Tl would not. 

7.5 Combined Trading Topology (All Stopping Conditions) 

In this scenario, all of the stopping conditions outlined in section 7.3 are demonstrated using a single 
scenario. The size of this scenario’s OG would be prohibitively large due to the high degree of 
inter-object concurrency and large number of active Traders. In Figure 1 6, the termination of a Query 
as a result of each of the six stopping conditions is indicated by an arrow and a corresponding number. 
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From T4 STOPPING POINT I 







STOPPING POINT 2 
Fig. 15. Non-deterministic Query 
propagation 



Fig. 14. T1 gets duplicates with different hop_count values 



When a Query from the Importer is processed by Tl, it is forwarded to both T2 and T5. Each of these 
Queries continue to propagate until all (sub)propagated Queries enter one of the stopping conditions 
indicated in section 7.3. The path that a Query takes through the linked Traders will be denoted a trace 
and each of these conditions (which are represented at least once in the Combined Scenario) are 
discussed below. 




Fig. 16. Combined Scenario 
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7.5.1 Stopping Condition 1 

The trace shown in figure 16 (terminating at 1) shows a Query that propagates from the Importer I 
through Tl, T2, T3, T4 and then stops at T7 because its hop_count = 0. This is comparable to the 
stopping condition explained in section 7.3. 1 except that in this example, the Query visits 5 Traders 
rather than 3 . The propagation of Queries is linear and it has been shown that Traders can successfully 
propagate Queries for 3 links. Consider a partitioning of the Query in figure 16, scenario 1 into two 
elements: the external environment and scenario 1. 

The external environment must: 

• decrement hop_counts by 1 and 

• accept results from linked Traders and return them to the invoking entity. 

This behaviour has already been demonstrated in the scenario of section 7.3.1 between T2, T3 and T4. 
Thus, the behaviour of the external environment is equivalent to a sub-set of a previously verified 
behaviour scenario. The trace for scenario 1 presented in figure 1 6 can be projected onto the scenario 
analysed in section 7.3 . 1 , where T2=I, T3=T1, T4=T2 and T7=T3. Thus, this trace can be considered 
equivalent to the serial concatenation of two analysed scenarios, both of which are guaranteed to be 
deadlock-free and correct. 

7.5.2 Stopping Condition 2. This stopping condition is is the same as that analysed in section 

7.3.2 except that the Query terminates (at 2 ) with hop_c oun t = 2 , rather than with hop_c ount = 1 . 
The Query terminates because it runs out of links to follow which is independent of hop_count ’s 
value (as discussed in section 7.3.2). 

7.5.3 Stopping Condition 3. This stopping condition is similar to that analysed in section 7.3.3, 
except that the Query terminates (at 3) with hop_c ount = 3 rather than hop_c ount = 1 . In either 
case, thehop_count value is non-zero, as discussed in section 7.3.3. A mapping (from scenario to 
trace) can be used to compare the scenario of section 7.3.3 with the trace of figure 16. 1=1, T1=T1, 
T2=T5, T3=T7. 

7.5.4 Stopping Condition 4. This stopping condition is similar to that analysed in section 7.3.4, 
except that the Query terminates (at 4) with hop_count = 3 rather than hop_count = l. 
(Termination is independent of hop_count - see section 7.3.4). 

7.5.5 Stopping Condition 5. This stopping condition is similar to that analysed in section 7.3.5 
except that the Query terminates (at 5) with hop_count = 2 rather than with hop_count = l. 
Termination of the Query in this scenariois independent of hop_count, as discussed in section7. 3. 5. 

7.5.6 Stopping Condition 6.This stopping condition is identical to that analysed in section 7.3.6 
which has been shown to behave correctly. 

7.6 Discussion 

By applying the recursive Trading approach of section 7. 1 , it is possible to state that this complicated 
scenario is deadlock-free and is guaranteed to terminate with a single terminal marking if its OG was 
generated. This is because each of the linked Queries that are created as the initial Query propagates 
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fromi to T1 and onwards have been verified individually in preceding sections. The fact that multiple 
concurrent Trader processing has also been shown to be independent (section 6.2) allows us to 
decompose the scenario into multiple concurrent smaller scenarios which have already been verified. 
This means that complicated scenarios such as that shown in figure 16 can be analysed as a series of 
concurrent traces which do not interact and can be analysed individually. This avoidins the state space 
explosion problem associated with the OG for multiple concurrent Query propagation. Figure 17 
shows Query propagation with visited Traders shown as grey ellipses. If using only hop_count = 0 
or ava i 1 ab 1 e_l i nks = 0 as stopping criteria, all nodes in the Query propagation graph of figure 1 7 
would be visited. However, by utilising more stopping criteria, the larger, finite graph is “pruned” to 




Fig. 17. Concurrent independent traces using hop_count=0 as a stopping condition 



7.7 OG Analysis of Combined Scenario 

The CPN model of the Trading Environment was configured as depicted in the scenario diagram of 
Figure 16. Although the creation of a complete OG for the scenario was not possible, analysis was 
performed using simulation and the creation of a partial OG. The simulation run resulted in a list of 
Offers being returned to the Importer as expected and took 303 steps to complete. The partial OG was 
created by allowing the OG to be created normally (breadth-wise) for 1 0 seconds and then forcing it to 
create the OG depth-wise until complete. This resulted in a partial OG, which did not include all 
possible scenario behaviours but did narrow in on a single terminal marking (593) as expected. 

This process was repeated a number of times and the same single terminal node (593) was evident. 
This is a good result since it improves confidence in the assertion that the combined scenario has been 
verified using the previous scenario verification results. 



8 Conclusions 

In this paper, an approach to the analysis of a large CPN model was presented. The approach utilises 
results from a number of small verified scenarios to build up a view of more complex Trader 
interworking scenarios. The analysis was performed firstly using simulation and subsequently 
utilising OGs and OGs with Equivalence classes. The aim of the analysis was to test the correctness of 
the model and therefore the computational viewpoint of the Trading standard. 

Correct operation of the Trader was verified when servicing single and multiple Queries concurrently 
as a standalone entity. It was also shown that the model behaves correctly when there are multiple 
instances of objects which operate concurrently and independently. 
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Using these results as a basis, it was shown that a more complex Trader connection topology could be 
analysed by decomposing it into anumber of parallel independent Query propagation scenarios which 
were verified in this paper. Further work remains regarding formalisation of this approach to 
reasoning about arbitrarily complex interworking topologies. 

Acknowledgements 

The authors would like to thank Philippe Darondeau and the anonymous reviewers for useful 
comments regarding the draft of this paper. 

References 

[1] ISO/lEC Trading (1997) “Reference Model of Open Distributed Processing - Trading 
Function”, ISO/lEC IS 13235-1. ITU/T Draft Rec. X950-1, 1997. Also available at: 

http://www.dstc.edu.au/AU/research_news/odp/trader/standards.html 

[2] Jensen, K. (1992) “Coloured Petri Nets. Basic Concepts, Analysis Methods and Practical 
Use. Volume 1 : Basic Concepts” , EATCS Monographs on Theoretical Computer Science, 
Springer- Verlag. 

[3] ISO/IEC IS 10746-1 I ITU-T Recommendation X.901 (1996) “Reference Model of Open 
Distributed Processing - Part 1: Overview and Guide to Use”, Geneva, Switzerland. 

[4] The Object Management Group Inc (1995), “The Common Object Request Broker: 
Architecture and Specification Revision 2.0”, July, 1995. 

[5] CPN Group, University of Aarhus (1996), Online Design/CPN User’s Manual. 

http://www.daimi.aau.dk/designCPN/man/X_2.0/REF/Reference.All.pdf 

[6] ISO/IEC Trading Tutorial ( 1 996) “Reference Model of Open Distributed Processing - Trad- 
ing Function Annex A: Tutorial of the Draft Trading Function”. 

http://www.dstc.edu.au/AU/research_news/odp/trader/tr_tutorial.html 

[7] Tokmakoff, A. (1998) “Modelling, Analysis and Prototyping of the ODP Trader using 
Coloured Petri Nets and Java ”, PhD Thesis, Faculty of Information Technology, University 
of South Australia, March 1998. http://www.itr.unisa.edu.au/~steven/thesis/aat.pdf 

[8] Tokmakoff, A. and Billington, J. (1996) “CPN Modelling of An Object Based System: The 

ODP Trader” , 1st International Workshop on Formal Methods for Open Object-based 
Distributed Systems, Paris, France, May 1996, pp. 245-260. 

http://www.itr.unisa.edu.au/people/andrew/papers/FMOODS96.ps.gz 

[9] Tokmakoff, A., Billington, J. (1998) “Reachability Analysis of the ODP Trader using 
Equivalence Classes”, Proc. International Conference on Software Engineering: Education 
and Practice, Dunedin, New Zealand, 26-29 January, 1998, IEEE Computer Society Press. 

http://www.irisa.fr/prlve/Andrew.Tokmakoff/tsec/papers/SEFP98.pdf 

[10] Jensen, K. (1994) “Coloured Petri Nets. Basic Concepts, Analysis Methods and Practical 
Use. Volume 2 : Analysis Methods ”, EATCS Monographs on Theoretical Computer Science, 
Springer- Verlag. 

[11] Garland, S., J., (1986), “Introduction to Computer Science with applications in Pascal”, 
Addison-Wesley, 1986, ISBN 0-201-04398-X. 




Parallel Approaches to the Numerical Transient 
Analysis of Stochastic Reward Nets 



Susann Allmaier and David Kreische 

Lehrstuhl fiir Rechnerstrukturen (IMMD III), Universitat Erlangen-Niirnberg, 
Martensstr. 3, D-91058 Erlangen, Germany 
I snallmai I ddkreiscj@informatik.uni-erlangen.de 

Thlm • / i ttF n TTn a "h i Ir im i — otT an cron Ho ■ 1 900 /Pno i ocho /nanda TThm' 



Abstract. This paper presents parallel approaches to the complete tran- 
sient nnmerical analysis of stochastic reward nets (SRNs) for both shared 
and distributed-memory machines. Parallelization concepts and imple- 
mentation issues are discussed for the three main analysis steps that are 

(1) generation of the underlying continuous-time Markov chain (CTMC), 

(2) solving the CTMC numerically for the desired time points and (3) 
converting the results back to the net level by evaluating reward based 
result measure functions. The distributed-memory approach implements 
dynamic load balancing mechanisms in step (1) to guarantee an equal 
distribution of the state space onto the main memories of the clustered 
machines. The shared-memory algorithms are based on elaborated syn- 
chronization mechanisms which allow parallel read and write access to 
the global irregular data structure of the CTMC. Performance measure- 
ments on different architectures and a comparison of the approaches are 
given. All the algorithms are integrated in PANDA which consequently 
is a parallel SRN modeling tool suitable for different multiprocessor plat- 
forms. 



1 Introduction 

Backgro und. One of the most pressing problems for the numerical analysis of 
GSPNs ^13 is the state-space explosion which is therefore the topic of many 
papers in this field. The proposed approaches can be classified into two main 
categories namely avoidance methods and tolerance methods Q. The first try 
to exploit certain properties of the net to reduce the number of states of the 
underlying CTMC. Of course they can only be applied as far as the demanded 
properties are inherent in the modeled system. Methods of the second category 
try to tolera te the lar ge state spaces. One way to do this is the parallelization of 
the analysis . Tolerance methods may be seen as additional possibilities 

to be applied side by side with avoidance methods or other tolerance methods. 

The most difficult part of the numerical analysis process to parall elize is the 
unfolding of the state space that defines the sparse matrix of a CTMC This 
is a graph generation process starting with just an initial state. The difficulties 
for a parallelization lie in the irregular, dynamically growing data structure of 
the CTMC whose size and shape cannot be estimated in advance. 

S. Donatelli, J. Kleijn (Eds.): ICATPN’99, LNCS 1639, pp. 1999. 

(c) Springer- Verlag Berlin Heidelberg 1999 
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After the CTMC is generated, the transient numerical solver computes its 
state probabilities for the desired time points. Our algorithms use the uni- 
formization method Uniformization is a very popular transient so- 

lution method as it shows good convergence behavior in many cases, is memory 
efficient and easy to implement. 

The last step in the quantitative analysis process is the back-transformation 
of the results to the net level. For this purpose stochastic reward nets (SRNs) 
Q provide methods to impose rate rewards on the states (gained whenever time 
is spent in these) and impulse rewards on the transitions of the CTMC (gained 
if this state transition occurs) . 

Our Contribution. We are looking at the theoretically well-defined transient 
analysis process from the realization point of view, discuss design decisions and 
show the difficulties that arise within the numerical analysis process especially 
for the parallelization approaches. 

Algorithms for distributed-memory (DM) machines implemented with the 
common available message-passing libraries PVM (Parallel Virtual Machine) 
13 or MPI (Message Passing Interface) are a cheap way to utilize the main 
memories of clustered workstations or PCs which are maintained in nearly every 
office nowadays. In our design decisions we focused on the space problem rather 
than the computation time. This means in contrast to existing approaches to 
the state space generation we implemented dynamical load balancing al- 

gorithms which cause computational overhead on one hand but guarantee on 
the other hand that the computation is not to be aborted prematurely due to a 
lack of memory on a subset of the machines while other CPU’s local memories 
remain widely unused. Furthermore with this approach we are free to automat- 
ically enhance the number of processors during runtime if necessary. 

In contrast to existing parallel approaches our shared-memory (SM) algo- 
rithms perform no partitioning of the state space onto the processors but im- 
plement suitable synchronization schemes on the global shared data. It can be 
shown that good speedups are reached during the whole analysis process on 
these architectures. 

As far as we know there exist no parallel transient analysis solvers for GSPNs 
or SRNs in the literature up to now. In the shared-memory case the parallel 
realization of the uniformization method and the result measure computation 
is straight forward. In the distributed-memory version the scattered state space 
imposes problems. Nevertheless we can show that computation times do not 
degrade relatively to the single processor version and for models that touch the 
limits of a single processor machine enormous acceleration is achieved by the 
elimination of swapping effects. This way sequentially not manageable problem 
sizes can be solved combining the main memories of clustered workstations. 
Computation time and manageable problem size is compared with the sequential 
GSPN tool SPNP (Stochastic Petri Net Package) 0. 

As an elaborated result measure concept was designed, all the algorithms 
described could be integrated to build up the transient numerical analysis com- 
ponent of the SRN modeling tool PANDA . PANDA 0 provides a graphical 
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user interface allowing the specification of GSPNs expanded with phase-type 
distributed firing times. A widely SPNP Q compatible C-language interfacj 
can also be used. This means the parallel concepts can be utilized in a flexible, 
portable and comprehensive way. 

2 State Space Generation 

The first step in the numerical analysis process of GSPNs is the state space 
generation QQ. During this phase the GTMG is constructed in an iterative 
way starting from the initial marking mo of the GSPN. The states m^ S A4 
of the GTMG are the tangible markings of the GSPN (markings which enable 
timed GSPN transitions), an arc G A of the GTMG graph can be associated 
with the firing of a certain timed transition t of the GSPN leading from marking 

rrii to rrij denoted by m^ ^ rrij. To be able to assign impulse rewards (Sec.^ 
to the timed GSPN transitions each arc is labeled with the transition ID 
Ik = X of the transition tx & T whose firing led to and its possibly marking 
dependent firing rate Xk = r{tx,mi). Multiple arcs between two states of the 
GTMG labeled with different transition IDs may not be combined into one in 
order to preserve the correlation between GSPN transitions and GTMG arcs. 

In our algorithms vanishing markings — i.e. markings which enable immedi- 
ate transitions — are eliminated on-the-fly B as it is the method of choice for a 
transient analysis Q although this impedes the computation of impulse rewards 
for immediate transitions. 



untreated markings U 




- arc of the CTMC C 
^ pointer of search tree S 



multiple arcs 
’ belonging to different 
transition firings 



Fig. 1. Data structures of the GTMG generation. 



Data Structures. Mainly three dynamically changing data structures determine 
the algorithms: the accruing GTMG graph C, the search data structure S to 
retrieve already created states for not being inserted several times into C and a 
set of untreated markings U to temporarily store markings until their successor 
markings in C are generated. U and S are needed during GTMG generation 
only. We realized U as linear list of pointers, pointing to states already inserted 
in the GTMG C (for alternatives see Q). 

^ The definition of the result measures differs from CSPL (C-based Stochastic Petri 
Net Language) as impulse rewards are allowed. 
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S is the crucial data structure with respect to efficiency because it is con- 
sulted at least once for each arc of the CTMC. We prefer balanced search trees 
hash tables ^3 to implement S because their behavior in the state 
space generation context is more predictable in both memory consumption and 
search overhead. A hash table is either based on heuristics to determine its size 
or must use complex dynamic expansion techniques. It may not be simply as big 
as possible to retrieve and store the states of the CTMC as the arcs will also oc- 
cupy an unpredictable amount of memory. The hash function is also heuristic and 
must therefore handle collisions appropriately. Since the numerical uniformiza- 
tion solution needs five additional floating point values per CTMC state anyway 
(see Sec.H implementing S' as a search tree does not cause a bottleneck with 
respect to memory consumption as the memory of the child pointers of S is used 
to store these floating point values after the CTMC generation is finished. 

In algorithmic considerations we often treat the entries of S and the states 
of C like different elements. But an implementation will only maintain data 
structures for the states of the CTMC and augment them with child pointers. 
Fig.Jillustrates the connections between C, S and U. 

Algorithmic Aspects. Fig. JandJshow a sketch of the CTMC generation al- 
gorithm in pseudo-code. The lines marked with * are parallelization specific, 
omitting them results in the sequential algorithm we will regard first. Procedure 
CTMC_generation() Fig. His the main routine. Realizing U as linear list implies 
that take_element 0 (Line 15) just takes the first element of the list which 
equals a FIFO stategy leading to a breadth-first traversal of the CTMC graph. 

New states and arcs are inserted into the accruing CTMC by procedure 
new_state() Fig.H Arcs are stored with their destination state rrij which 
is essential for both the SM and the DM parallelization of the CTMC generation. 
The elimination on-the-fly is done by procedure elim_otf () Fig.H The degree 
of parallelization is increased by the on-the-fly elimination because the global 
data structures S, C and U do not need to be consulted for vanishing states and 
therefore they cause no communication or synchronization. 

For simplicity it is assumed that the initial marking is a tangible one. This 
restriction can be released by adding a simple initialization routine Q. The on- 
the-fly elimination is specified as a recursive procedure (Line 51). As recursion 
depth is a limiting factor the actual realization is iterative using a stack. 

The search key which is looked for is the marking itself which is simply an 
integer vector whose components are the number of tokens in the corresponding 
GSPN places. The lexicographical order is imposed on the markings so that the 
tree can be traversed comparing the marking met to the one that is looked for. 

Storage Requirements. Each state stores: (1) A marking that is either a vector 
of fixed size which is advantageous for Petri nets where all the places contain 
tokens most of the time, or of variable size storing both the place number and the 
number of tokens for those places that contain at least one token. Second is the 
method of choice for most of the nets. (2) An identification number. This is only 
for efficiency reasons and could be omitted if the marking was used to identify 
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* 1 private process ID p 

2 initial marking mo 

3 CTMC C = 0 

4 search structure S' := 0 

5 set of untreated markings U 0 

6 procedure CTMC_generation( ) 

7 begin 

*8 if (part it ion (mo) = p) 

9 insert mo in C 

10 insert mo in S 

11 U ■.= U U mo 

*12 endif 

*13 while (no termination message received) 

14 while ([/ 7 ^ 0) 

15 nif ■.= take_element (f/) 

tx 

16 for each enabled transition tx ■ nif —>■ rric 

17 if (me is vanishing) 

18 elim_otf(mc, x, r{tx,nif) , /) 

19 else 

20 new_state (me , x, r{tx,nif) , /) 

21 endif 

22 endfor 

*23 offerO 

24 endwhile 

*25 request 0 

*26 endwhile 

27 end CTMC_generation 



Fig. 2. Main routine of the parallel CTMC generation algorithm for DM ma- 
chines. Omitting the *-marked lines results in the sequential algorithm. 

a state. (3) A pointer to the incoming arcs within C . (4) Pointers to construct 
S. The structure of S can be converted after CTMC generation to connect all 
the states in a linear list and unnecessary pointers are freed or reused otherwise. 
Each arc stores: (1) A transition ID. (2) A rate value. (3) A link to its source 
state. If arcs are not maintained in a dynamically growing array also (4) a pointer 
to the next arc must be given otherwise the number of incoming arcs has to be 
stored. Up to now our implementations do unfortunately not implement these 
structures at minimum cost. U represents no limiting factor. If the elements 
Ui € U point to states which are not absorbing, at least one arc — consuming 
more memory than Ui — will be inserted in C when Ui is deleted (Line 15 Fig. 
^and Line 38 Fig.^. Therefore the memory consumed by U is finally needed 
anyway for C if we assume only few absorbing states. 
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28 procedure new_state (me , x, rate, /) 

29 begin 

*30 n := partition(mc) 

*31 if (n = p) 

32 if (me ^ S) 

33 insert me in C 

34 insert me in S' 

35 U U U rric 

36 endif 

37 if (not exists arc in C with Ik = x) 

38 insert a^T^^ in C 

39 set transition label Ik := x and rate label Tk ~ 0 

40 endif 

41 set rate label Tk '■= Vk + rate 

*42 else 

*43 pack(n, rric, x, rate, f) 

*44 endif 

45 end new_state 

46 procedure elim_otf (m„ , x, rate, /) 

47 begin 

48 for each enabled transition ty : m„ me 

49 rate \= rate * r(ty,m„) 

50 if (.rric is vanishing) 

51 elim_otf (me , x, rate, f) 

52 else 

53 new_state (me , x, rate, /) 

54 endif 

55 endfor 

56 end elim_otf 



Fig. 3. Subroutines of the parallel CTMC generation algorithm for DM ma- 
chines. Omitting the *-marked lines results in the sequential procedures. 

2.1 Distributed-Memory Parallelization 

The main difficulty of the DM approach is to achieve an equal distribution of 
the state space onto processors, since each processor has access only to its local 
memory and the part of the state space stored there. Since there is usually no 
information available about the state space before it is actually built, the par- 
titioning function should be adapted during run time. A dynamically changing 
partitioning function is the main difference to existing approaches in 



Algorithmic Aspects. We use a master/slave concept: one slave process runs on 
each processor. The slaves are concerned with the actual state space generation 
given in Fig.JandH Additionally one master process exists. It is responsible only 
for the spawning of the slaves and further on for administering, controlling and 
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terminating them. We do not give an algorithmic sketch of the master process 
as it is just reacting on messages from the slaves which it attends in a loop. 
Four routines are added to the sequential algorithm: 

— partition(mc) returns the process ID n of the slave which is responsible for 
marking me- This way each state is mapped uniquely onto one processor and 
this processor finds the marking in its search tree if it is already generated. 

— packCn, nxe, x, rate, /) packs marking uric together with the informa- 
tion needed to create a new arc into the output buffer for messages that wait 
to be sent to the slave with ID n. 

— request 0 is called if a slave gets idle, i.e. when its U got empty. All of 
the output buffers are sent to the corresponding slaves and a idle mes- 
sage is broadcasted. If new markings arrive they are handeled by calling 
new_state 0 (giving the received additional information as arguments). Fur- 
thermore attention is given to load balancing and termination messages. 

— offer 0 is a cyclically called routine that checks for data requests of other 
slaves. If one is queued the corresponding output buffer is sent. In order 
to keep input buffers small procedure new_state() is called for each so-far 
received marking. Again attention is given to load balancing and termination 
messages. Procedure offer () (Line 23, Fig.fl should only be called every 
100th iteration. 

Dynamic Load Balancing. Our solution to the partitioning problem is a dy- 
namic load balancing algorithm. Hereby memory consumption and not computa- 
tion time is regarded as load. The load balancing routine repartitions the CTMC 
and adapts the partitioning function. 

The partitioning function of course maps the entire set of possible markings 
onto the processors. Potential markings are ordered lexicographically again and 
each slave is assigned a continuous (not necessarily equal sized) range of these. 
The markings which build up the borders of the ranges are known to all the 
slave processes, partition(mc) (Line 30, Fig.^ has to compare the current 
marking rric with the range borders and return the process ID n of the slave 
whose border markings rrii and rrij include nic'. rrii < rUc < rrij. To do this 
efficiently the border markings are organized in a binary tree instead of a linear 
list. The ranges are recomputed when load is rebalanced. 

The master process is cyclically informed by the slaves how much of their 
local memory is occupied. When the memory utilization on one processor differs 
more than m% from the average memory utilization (tolerance parameter m 
can be chosen), load balancing is initiated by the master. For the load balancing 
routine a chain topology is used. The master tells each slave how many bytes it 
has to send to or get from its left and right neighbor processor. Then the slaves 
exchange CTMC states together with their incoming arcs in parallel until the 
required amount of bytes is exchanged. This way also the arcs of the CTMC are 
considered when memory is balanced which we experienced to be crucial (see 
Sec.H- To maintain the continuous ranges of the partitioning function the right 
neighbor gets the smallest markings and the left neighbor gets the biggest ones. 
Fig.Jillustrates the load balancing. For simplicity markings are represented 
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Fig. 4. Load balancing mechanism. 

as integer numbers instead of vectors. It shows the ranges of four processors with 
their local balanced search trees S. The upper line shows the situation before 
load balancing, the lower line afterwards. Processor 1 has to send three markings 
to Processor 2 (as indicated by the fill style) and Processor 2 has to send one to 
Processor 3. The trees are rebalanced during the exchange. 

We implemented S by an AVL-tree in our DM algorithm which is a 
height-balanced binary tree. Rebalancing is done by rotating smaller or bigger 
parts of the tree thus guaranteeing search times that are logarithmic in the 
number of the so-far generated states. The balance of the AVL-tree is maintained 
easily during load balancing as always the smallest/biggest marking is removed 
from the tree. This is simply done by cutting off the leftmost/rightmost leaf 
and initiating a rotation to rebalance the tree immediately if necessary. The 
destination process receives the markings in an ordered way which makes the 
insertion on receiver’s side as simple as the cutoff on sender’s side. When the 
exchange is finished the slaves report the number of markings exchanged and 
the master process recomputes the new range borders and broadcasts them. 

In contrast to the shared-memory version the arc that is stored with its 
destination state rrij cannot contain a pointer to its source state rrii because rrii 
may be stored on a different processor. Instead of pointers it just contains the 
unique source state ID which consists of process ID and state number. After state 
space generation is finished a renumbering has to be performed to prepare the 
numerical solution: an unique integer number is computed out of the bipartite 
number and the numbers are permuted (as they are disordered due to load 
balancing) so that each processor p ends up with a continuous range of state 
numbers gp = [Qp, gp] in its memory. This means the source state entries of the 
arcs have to be changed also. Computation times for renumbering are negligible. 



Additional Storage Requirements. DM parallelization additionally needs space 
for input and output buffers to store the data sent to/received from other pro- 
cessors. The buffers may contain one marking several times. The state ID has to 
store also the process number additionally to the state number. AVL-trees are 
only efficient if a parent pointer is maintained for each state. 
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2.2 Shared-Memory Parallelization 

When a shared-memory architecture is used, the main data structures C, S and 
U (Fig. Q may be kept in global shared memory. This means no partitioning 
onto the processors has to be performed and the current information about the 
so-far generated state space is accessible for all the processors. 

To guarantee data consistency it is necessary to lock data portions using 
mutex variables so that read and write operations are done in mutual exclusive 
access. Otherwise two processors might for example insert the same state in 
the CTMC at the same time. Mutex variables are tested and set in an atomic 
operation. Only a threacj which succeeded in setting the mutex variable may 
proceed whereas the other threads block until the mutex variable is unlocked 
again. To allow a high degree of parallelism the portion of the global data that is 
locked by one processor should be small and should not represent a bottleneck. 
But on the other hand the locked data portions should not be too small as 
locking operations are expensive and locking variables consume memory. 

The main problem with balanced search trees and synchronization is the 
rebalancing routine: insertions at a leaf of the tree often cause reorganizations 
which may affect the whole tree structure. Therefore the part of the tree that is 
potentially affected by the reorganization has to be locked. 

In our solution data consistency with a high degree of parallelism is achieved 
by using B-trees Q as search data structure S. In B-trees a parameterizable 
number of markings is grouped together to one B-tree node which is the entity 
that is locked thus reducing the number of locking operations. Rebalancing is 
done by splitting B-tree nodes when they are full. The height of the tree is only 
increased when the root node is split. Normally rebalancing is done in a back- 
propagation manner: the insertion of a new marking in a leaf node causes it to 
split when full giving one marking to its parent node. This again may be full and 
has to be split and so on. This way splittings may propagate back up to the root 
node which is very disadvantageous for synchronization. We therefore modified 
the standard balancing strategy from splitting nodes on demand to a splitting- 
in-advance strategy: nodes which perhaps get full when the next insertion takes 
place are split in advance on the way down during the search process. This 
strategy works with only two mutex variables locked at a time per thread. As 
there is no room for details we refer to Q for a full description. 

Additional Storage Requirements. The SM algorithm needs one mutex variable 
per B-tree node which is 0{\AA\/h) on an average (with h average node size), 
but no parent pointers have to be maintained. State numbers are augmented by 
the thread number. 

3 Transient Nnmerical Solntion 

Now as the CTMC is generated, instantaneous and cumulative transient 
measures are computed for one or a series of user-defined time points. 

processes are called threads in the SM context 
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For the basic theoretical considerations we switch from regarding the CTMC 
as a graph (which is nothing else than a sparse matrix representation) to the full 
matrix representation. This means vector component 7Ti(r) of the vector tv{t) 
represents the state probability of CTMC state rrii at time r and component 
0i(r) of vector 6{t) represents the expected total time that is spent in state rrii 
during time interval [0,r]. The infinitesimal generator matrix Q is built up of 
the transition rates labeling the arcs of the CTMC graph: 

Qi,j = X! = - X! 

eJ\. 



Uniformization Algorithm. The Chapman-Kolmogorov equation of the time 
homogeneous CTMC — given the initial state probability vector 7t(0) — is 
We have to set 7 To( 0) = 1 for the initial marking mo and 
7Ti(0) = 0 for i yf OjThe uniformization method computes the solution 

of the Chapman-Kolmogorov equation by evaluating 



7r(r) « 7r*(T) = 7 t(0) Q ' 



h—\> {qr,e) 

<{qr,e) 

= E P{h,qT). 

h—\> (qr,e) 



(2) 



where factor q is given by g > max^ \qi^i\ and Matrix Q is defined by Q = ^Q + I 
with I being the identity matrix. To satisfy ||7r(r) — 7r*(T)||oo < e we have to set 
(see l>(9D e) = max{j S IN : J2h=o 9''") - f } <l(9D e) = min{j S 

IN : 1 - Ei=o /3(h,qr) < §}. 

The real work lies in the vector/matrix multiplications computing ip(h) (Eq. 
Q which is done iteratively: 



¥^(0) = 7t(0) 

ip(h) = ip{h — 1) Q, h > 0 . 



Restarted Version. We realized the restarted version of the algorithm given in 
This means if several time points tq, ..., tj,- have to be evaluated, for with 
0 < i < t|r we set T = Ti — and 7t(0) = 7r*(ri_i) in Eq.^and start again. 
This means we assign each time interval i > 0 its own formula *7r*(r) with 

<l(9(n-n-i),«) 

7T*(ri) = V*(ri - Ti_i) = ^ 7T*(Ti_i) /3(/i, g(ri . (4) 

h=\>{q{Ti-Ti-i),e) 

This is possible because of the Markov property: the past has no influence on 
the future so it can be assumed that time point is the initial time. As 

^ If the initial marking is vanishing several 7Ti(0) > 0 may exist. This initial vector 
7t(0) must be preserved by the CTMC generation. 
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errors sum up this way the internal error tolerance must be set to e' = for 
the computation of each time point. Restarting causes overhead in computation 
time because for each time point 

— the left truncation point e) has to be reached; 

— since holding the two matrices Q and Q in memory is not acceptable with 
respect to storage requirements, matrix Q has to be converted to Q and 
back again to compute result measures; 

— for each user-defined result measure function every state and arc has to be 
visited in the worst case as we will see in the next section. Without restart 
all t|r time points were computed in one step and stored in an array of size t|r 
within the states. Therefore the result computation would have to visit the 
states and arcs only once, calling each result function only once (implying 
that the result functions operate on an array of size Ur). 

But as we consider memory consumption as the limiting factor, we accept this 
computational overhead (which we experienced to be negligible) and just store 
one time point at a time, doing result computation straight ahead and then 
restart for the next time point. 



Expected Total Time. The vector of the expected total times spent in the states 
6{t) = fj 7 t(u) du is computed by Q 



e{r ) « e*{r) 



7T*(u) du 



<\{qT,€) 

9 t'o 




h 



E 




( 5 ) 



Time averaged values 6{t) = 6{t) jr are within the error tolerance e this way, for 
absolute values we set e = ejT and adapt <(gr, e). As *7r*(r) = ®“^7r*(r -|- n-i) 
for T > Ti-i which means that restart z > 0 shifts function ®“^7r*(r) units to 
the left, we may also compute 9*{t) together with in a restarted manner: 



e*{n)= ^e*{n-n_i)= j v*(u)du. (6) 

0 

Storage Requirements. For each state rrii G Ad of the CTMC ^{h) and ‘p{h— 1), 
the instantaneous and cumulative solution and the diagonal entry of Q have to 
be stored. This results in an additional storage expenditure of \M \ * 5 floating 
point values for the transient uniformization solution. 



3.1 Distributed-Memory Parallelization 

The conversion of matrix Q to matrix Q is trivial to parallelize. The diagonal el- 
ements qi^i are already computed during CTMC generation. The local maximum 
qi^i element is determined and given to the master which then determines the 
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global maximum and gives it to the slaves which in turn compute their part of 
Q. The truncation points and /3(/i, qr) are computed locally on each processor. 

The parallelization issue is consequently the vector/matrix multiplication 
to compute <p{h) in each iteration h (Eq. Q where we have to cope with the 
scattered state space. The matrix Q is stored columnwise by storing the incoming 
arcs with the CTMC states as described in Sec. Q The renumbering of the 
states (Sec. ^3 additionally implies that the locally stored state numbers build 
a continuous range which is the only way to allow and (p{h — 1) being 

stored in arrays and accessing their components via the array index evaluated 
from the state number. This in turn is essential as we will see, since 4>i{h — 1) 
has to be referenced via the information stored in which provides only the 
source state ID i. Fig.^iUustrates these data structures for matrix 
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where fi = ri/q are the converted rate values stored at the CTMC arcs (see Eq. 
B. The data structure of an incoming arc containing its rate value and source 
state number is given as the rectangle in Fig.H In order to be really scalable we 
implemented two possibilities: (1) a more time efficient one-step vector/matrix 
multiplication which requires storing a vector of size |AI| on each processor and 
(2) a multiplication in [|p steps (Up number of processors) using a smaller array 
of size a;, x being the maximum number of states on one processor. We describe 
the second method first: Two steps are illustrated by Fig.^ In th® first step of 




Fig. 5. Two steps of parallel distributed-memory vector/matrix multiplication. 



iteration h each processor p updates the ip' = ip{h — 1) array in Fig. ^ which 
means ip' \= ip and visits all of its local arcs with i ^ j summing up 

X! ■ 

eA.,iegp,i^j 



Pj{h) = pj 



( 7 ) 
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This can be done only for arcs with i G gp, Qp being the range of state numbers of 
processor p for which the if' values are currently available in the c^'-array. In Fig. 
^the filled style marks for which arcs the products can be summed up 

to (fij . The left border Pp of Pp builds the offset for both arrays: The index of is 
given hy i — Pp that of ip hy j — pp. After each step s = 0, jjp — 1 the t^'-arrays 
are moved in a circle by giving the array to the left neighbor processor with 
processor number (p + 1) mod Up. This way each processor n = (p + s) mod Up 
computes Eq. Jin Step s for i G Pp hy reaching p' in array component i — Pp. 
After Up steps tp = ‘p{h) is totally computed. 

The one-step multiplication on the other hand just has two phases: first each 
processor sends its local part of ip' to all the other processors. Every processor 
stores the whole tp' vector. Therefore in the second phase the processors can 
locally update their cp values in one step. 



3.2 Shared-Memory Parallelization 

Parallelizing the transient uniformization solver on a shared-memory machine is 
quite simple. During the whole computation each thread p is assigned a subset 
of states Mp with {jpMp = A4, Mp n Mq = 0 and \Mp\ « \Mq\ for py^ q. All 
the CTMC states reside in global shared memory and are therefore all accessible 
for all the processors. Synchronization can be limited to the insertion of some 
barriers, at which the threads stop until all of them have reached this point. 

Barriers are needed to compute the stochastic matrix Q out of matrix Q: first 
the diagonal elements are computed in parallel. During CTMC generation 
this is not possible since only the destination state rrij of a newly generated arc 
is protected by a mutex variable and the qi^i computation would change 
source state rrii for The computation is split into Up phases (Up number of 

processors). In each phase s = 0, ..., Up each thread p G [0, Up] computes thread 
number n = (p -I- s) mod Up- Then all the incoming arcs of each of the thread’s 
states rrij G Mp are visited but the value Vk of the current arc ^ j is 

only added to qi^i if rrii G Mn- This way each thread works on a different set 
of source states Mn in each phase and no data protection has to be done. The 
phases have to be separated by barriers. Afterwards the maximum qi^i can be 
found for each thread’s subset of states in parallel followed by a barrier to wait 
until the global maximum is determined. Dividing all matrix entries to gain Q 
is done completely in parallel without synchronization. 

For the vector/matrix multiplication (Eq. J no synchronization is needed 
because of the columnwise storage scheme: Pj{h) = i ^ 3 

is computed by each thread p for all the states rrij G Mp referencing pi{h — 1) 
(which is stored within state rrii) by the source state pointer within ■ After 
each iteration a barrier has to be inserted. 
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4 Reward Based Result Measure Computation 

In this section we focus on implementation issues of a flexible result measure 
definition and evaluation. Result measures are given by the modeler as a part of 
the net definition which lifts the GSPN up to a SRN Q. For PANDA in which we 
integrated all the parallel algorithms this can be done either within the graphical 
interface (which imposes some restrictions on the functions as an interpreter has 
to provide the operators) or using the SPNP similar C-interface B where the 
flexibility of the C-language may be exploited. Result measures are specified by 

1. first defining rate and impulse reward functions Q 

2. and then combining a pair of one rate and one impulse reward thus defining 
— together with the CTMC — a global reward process 'R{t) and computing 
a stochastic value like the expected global reward E\R.{t)] . The wanted result 
measure may simply be this stochastic value itself or arithmetic and logical 
operators can be applied to combine several stochastic values to one result 
measure Several result measures may be specified within one net. 

In Step J the user needs a means to assign the rate reward pi to state rrii 
and the impulse reward tfc to arc ak of the CTMC by defining rate and impulse 
reward functions p and t on SRN level. The characterizing functions CF are the 
building blocks of the user-defined reward functions and are to be provided by 
the tool. We distinguish the node characterizing functions NCF 

— markCp^:): E x M— >INo returning the number of tokens in place G V in 
the current marking rrii G Ai, 

— enabled (tj, ) : T x Af ^{0, 1} returning 1 if transition ty G T is enabled in 
the current state rrii G Ai and 0 if not 

and the arc characterizing functions ACF 

— fireCtj,): T x M— >{0, 1} returning 1 if the firing of transition ty G T is 
responsible for the current arc ak G A (i.e. Ik = y) and 0 if not, 

— rate (ty)\ T x M— *-IR returning the firing rate rk of transition ty gT for the 
arcs G A with transition label Ik = y, 0 for the others. 

The user fixes the place and transition parameters of the CF which means 
the resulting reward function is a function of the current CTMC state or arc 
only. For rate rewards we allow only NCF to be used. For impulse rewards 
ACF and NCF are available in the sequential and shared-memory context. In 
the distributed-memory context only ACF are allowed for impulse rewards since 
otherwise we would get into troubles as we will see in Sec. 

Within the result computation self-arcs within the state space should not be 
neglected because an impulse reward may be assigned to them. In the numerical 
solution they are not included in matrix Q (see Eq.^ as transition firings which 
do not change the marking are not regarded as iterruption of the sojourn in this 
marking. But nevertheless the CTMC generation preserves them (see algorithm 
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Figures Handfl in the arc lists so they can be treated just like any other arc 
during result computation (compare Q). 

In this first parallel PANDA version the only stochastic operator that is pro- 
vided is the expected value E. The expected value of the instantaneous reward 
at time r is given by 

E[TZ'(t)] = ^ Pi 7Ti(r) + I'k Tk 7Ti(r) (8) 

rriieM. ai~"^eA 

and the expected value of the reward up to time r 

E[TZ{t)]= Y Pi(^iiT)+ Y (9) 

rriieM. al~"^eA 

(see B for details) . This means the algorithm has to visit each state rrii of the 
CTMC and call the user-defined rate reward function to get pi and each arc Ofc 
and call the impulse reward function to get tfc. Regarding each arc separately for 
impulse rewards is necessary since functions like ifn() = 2 fire(fo) + 3 fire(fi) 
may be user-defined and arcs and with transition labels Ik = 0 and 

Ih = I may both origin from source state Therefore just calling ifn() once 

for rrii is not possible. 

Rate and impulse rewards could have been most efficiently assigned to the 
states/arcs of the CTMC during CTMC generation itself by just calling each 
user-defined rate/impulse reward function once for each newly generated state/ 
updated arc. But then (1) possibly several reward values would have to be stored 
with the states/arcs of the CTMC consuming memory until the result compu- 
tation could evaluate the stochastic values. Alternatively (2) the reward values 
can be computed during CTMC generation and immediately be written to an 
external file to stay there until they are needed. But writing and reading files is 
time consuming. Therefore we decided (3) to compute rewards in a third step 
together with the result measure evaluation. As the measurements show, the 
complete result measure computation is relatively fast compared to the CTMC 
generation and numerical solution. If the limitation to ACF for impulse rewards 
in the DM parallel version turns out to be unacceptable, we will have to imple- 
ment possibility 2. 

To accelerate the output of standard result measures as there are (1) the 
expected probability for a place to contain at least one token, (2) the mean 
number of tokens in a place, (3) the throughput of a transition and (4) the ex- 
pected probability of a transition being enabled, these are provided in predefined 
result measure functions which can sum up all the relevant data in one sweep 
without the need of calling reward functions at all. 

4.1 Distributed- Memory Parallelization 

For a distributed state space with the relevant values 7Ti(r) and Oi{r) stored 
with the corresponding state rrii rate rewards may be computed locally with- 
out any communication. Just in the end the local sums have to be sent to the 
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master process which sums them up and writes the output. The only difficulty 
arises from the characterizing function enabled () which cannot be evaluated on 
CTMC level just regarding the incoming arcs of the local states. Therefore this 
function has to consult the GSPN and perform the same (time consuming) tests 
formerly done in the CTMC generation algorithm (for tokens, capacities, ...) to 
decide if a transition is enabled in the current marking or not. 

To evaluate the multiplications in Ep.^and^for £^rc non-local source 
state information — namely the 7Ti(r) and Oi^r) values — is needed. Therefore 
impulse rewards are expensive with respect to computation time. The strategy to 
compute them is exactly the same as described in Sec.^Jfor the vector/matrix 
multiplications: either in one step or in Dp steps using only parts of the vectors. 

The reason why impulse rewards may not depend on the current marking by 
the use of NCF is, that the source marking may be non-local. In contrast to the 
probability values we consider the markings too big to be exchanged between the 
processors. The reorganization of the storage scheme (which is enforced by the 
CTMC generation) from incoming arcs to outgoing ones seems also not feasible 
due to communication overhead and memory balance. 



4.2 Shared-Memory Parallelization 

The shared-memory parallelization is as simple as the transient solution without 
the need of any locking variables just a few barriers synchronize the threads. Each 
thread p again is responsible for a subset A4p of the CTMC states. 

In an initialization step all the incoming arcs are converted into outgoing 
ones as this is the ideal storage scheme to evaluate the characterizing function 
enabled 0 in a given marking by just looking at all of the transition labels of 
its outgoing arcs. This means each thread has to remove all the incoming arcs of 
its states and assign them to their source states possibly belonging to another 
thread. To avoid conflicts in the accruing outgoing arc lists this is done in Dp steps 
again (Dp number of processors) analogous to the computation of the diagonal 
elements of matrix Q at the beginning of the transient solution (see Sec.^^. 
The computation time for this initialization is negligible. The computation of the 
result measures itself is done completely independent in parallel on the different 
subsets of states and arcs. 

5 Measurements 

The distributed-memory (DM) algorithms were implemented using PVM and are 
measured on a Cluster of 16 PCs with Pentium II 300 MHz processors and 256 
MB main memory connected by a Fast Ethernet (100 Mbit/sec)|The shared- 
memory (SM) algorithms are built on top of the standardized POSIX pthread 
library. The SM measurements were done on a Convex SPP1600 machine with 

We thank the Paderborn Center for Parallel Computing for enabling time measure- 
ments without influence from other processes. 
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895 MB main memory and eight 120 MHz HP PA-RISC processors. Memory is 
accessed via a crossbar. The sequential runs comparing PANDA with SPNP were 
done on a 166 MHz Sun UltraSparc-1 machine with 256 MB main memory as 
we have only access to the SPNP binaries for the Sun Solaris operating system. 
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5.5 mio 


24 mio 


44 mio 
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CTMC gen. time 
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55 min 


17 min 


53 min 


93 min 


27 min 


total time 


74 min 


64 min 


24 min 


67 min 


120 min 


103 min 



Fig. 6. CTMC sizes and their computation times (mio = million, min = min- 
utes). 



All the measurements were made with a GSPN which models a multipro- 
cessor system with failures and repairs taken from The standard result 
measures for one time point r = 50 for each place and transition are computed. 
The model can be scaled by increasing the number of tokens representing the 
processors in the system, the number of busses was fixed to 3. As usual the 
bigger the model gets the coarser is the scaling that results by adding one more 
token. 

The single processor versions are really sequential without communication 
and synchronization and without computational overhead caused by the paral- 
lelization. 

Fig. H shows the number of states and arcs for the largest CTMCs that 
can be generated and solved on 1, 8 and 16 processors of different architecture. 
Increasing the model is either not possible because the next bigger CTMC does 
not fit into memory (this is the case for the SPNP and DM runs) or solution 
times degrade (> Ah) due to swapping effects (PANDA and SM). The CTMC 
generation time and the total time for analysis and result measure computation 
are given. For simplicity in measuring and comparison the number of iterations 
of the transient solution was artificially limited to 20. 

The data of the first two columns gives a notion how our implementation 
performs compared to an established sequential tool, namely SPNP 5.1. Since 
we only had SPNP binaries at our disposal that were compiled without a compiler 
optimization flag, the times of the sequential runs of PANDA are given with and 
without compiler optimization. If only CTMC generation was regarded, SPNP 
would able to create larger state spaces than PANDA since the memory for the 
numerical solver is allocated after the generation is finished thus running out 
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of memory not before the numerical solritioir starts. PANDA oir the other haird 
prepares the data structures already duriirg generatioir for coirtainiirg some of the 
values of the irumerical solution. This way the space of the search data structure 
may be reused which results in slightly bigger solvable models. 

The parallel runs in the DM columns show that the model size from 1 to 
8 processors scales by a factor of about 4.3. Beside algorithmic reasons this is 
due to the data structures of the DM implementation being much more wasteful 
than necessary at the moment. Therefore the model size from 8 to 16 processors 
scales better namely by 1.83. This shows that the algorithm itself works well. 
The loss compared to an optimal scaling factor of 2.0 can be explaiired by the 
number of message buffers aird the overhead iir balaircing the state space which 
increase with a growiirg irumber of processors. As we will see later, some parts 
do irot gaiir good speedups which results in air increase of solution time. 

To our surprise it was also possible to use the one-step multiplication for the 
two models given in the DM columns. This is because swap space was acciden- 
tally big enough. But for these model sizes the multiple step solution is already 
10% faster: the swapping effects compensated for the communication overhead. 

The last column shows the computation times for the biggest model solvable 
on the Convex SPP1600. The size scales optimally as no memory is lost for send 
and receive buffers. We could also generate the CTMC with 4.6 million states on 
this machine with “only” 895 MB of shared memory. Generatioir time was only 
97 minutes using the SM approach and 8 processors. But during the numerical 
solution swapping occurred, so we interrupted the ongoing solution after 6 hours. 
This shows that the generation phase in contrast to the solution phase can use 
swap space efficiently. 



Number of States Number of Arcs 





Fig. 7. Distribution of states onto pro- Fig. 8. Distribution of arcs onto pro- 
cessors (distributed-memory). cessors (distributed-memory). 



Fig.^shows the number of states generated on a given processor and stored 
on it finally for one DM run for a CTMC with 2.2 mio states and 21 mio arcs on 
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8 processors. Fig.Jshows the same information as Fig.Jfor the arcs (note the 
different scale) . The number of generated states and arcs differ very much across 
the processors but load balancing equalizes them resulting in slightly varying 
numbers of stored arcs and more varying numbers of stored states. As there are 
ten times more arcs than states the arcs are decisive which leads to a maximum 
difference of stored bytes of 10% which was the tolerance parameter we defined 
for load balancing in this run (see Page^^J. 

In Fig.Jthe computation times of the DM algorithms for the total analysis 
process: CTMC generation, uniformization and standard result computation are 
given for a small state space of 260 000 states and 2.4 mio arcs where no swapping 
occurs on one processor. The only part that gains a considerable speedup is the 
CTMC generation. This proves that the dynamic load balancing algorithm works 
efficiently. The share of load balancing in computation time never exceeded 20%. 

As the model is small using more than 6 processors leads to an increase 
in solution time. The one-step multiplication is faster than the multiple step 
multiplication in the transient solution since only one sweep through all the arcs 
has to be performed thus avoiding idle times caused by an unequal distribution of 
operations in one of the multiple steps. The generally poor parallel performance 



Computation Time (sec), Distributed Memory Speedup, Shared Memory 





Fig. 9. Computation times for the DM Fig. 10. Speedups for the SM algo- 
algorithms for a CTMC with 260 000 rithms for two different CTMCs. 
states. 



of the uniformization is not astonishing as in each iteration a vector of size \M\ 
has to be exchanged but only few arithmetic operations are done. Therefore 
we do not think that any numerical solvers starting from this scattered state 
space can gain good speedups, so we are content that times do not degrade. 
As expected, result computation is the fastest part of the analysis also in the 
parallel version. 

Fig.^Jshows the speedups for the SM algorithms for two CTMCs with (1) 
1.6 mio states and 14 mio arcs and (2) 700 000 states and 6.6 mio arcs. 
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The CTMC generation speedup is linear and the better the bigger the model. 
For the transient solution it is less good but acceptable. This is not due to 
synchronization (as we described in Sec. there is hardly one) but to memory 
accesses made for both the destination and source state of each arc. This means 
memory accesses are more scattered and caches have to be updated more often 
for the uniformization. This is also the reason why swapping mainly affects the 
numerical solution. 

We investigated result computation times also for user defined rate and im- 
pulse rewards but experienced that several very complex result measures have 
to be specified to find expression in a remarkable increase of computation times. 



6 Conclusion 

Due to our distributed-memory algorithms we can now analyze models on local 
area networks of sizes which are beyond the capacity of single workstations. We 
showed that dynamic load balancing distributes the state space equally onto the 
processors. This is important to guarantee scalability for any arbitrary model. 

To our experience the shared-memory architecture proves to be more suitable 
for the GSPN analysis than the distributed-memory architecture with respect 
to speedup, memory utilization and implementation effort. The main argument 
against shared-memory machines is their availability. But we think parallel high- 
performance computers will be widely accessible in compute centers with the 
Internet getting more and more popular. As even in the workstation sector two- 
processor machines are common nowadays and as every important operating sys- 
tem comes up with a standardized thread library, such acceleration approaches 
will get more and more significant. 

In the future we will also have to focus on more memory efficient internal data 
structures as up to now we simply have been more interested in the algorithmic 
aspects. The possibility to dynamically assign new processors to a problem if 
it runs out of memory will be included. This is only possible because of the 
flexible load balancing routine and seems very promising as too many processors 
increase computation times. With respect to the transient solution we want to 
look for memory organizations which allow a more efficient use of swap spaces. 
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Abstract. The use of formal methods for specification and analysis of 
dependable systems is considered a promising opportunity to support 
the evaluation of critical issues since the early design phases. Stochastic 
Petri nets can play an important role not only for the specification of 
functional issues of a system, but also for the predictive evaluation of 
performance and dependability properties. In this paper we investigate 
the possibility of using Stochastic Well-formed Nets (SWN) as a frame- 
work for specifying, validating and evaluating fault tolerance mechanisms 
used in plant automation. A temporal redundancy technique currently 
adopted in several electric plants to deal with transient faults is taken as 
a case-study. The peculiar feature of SWNs is the capability of directly 
generating an aggregated state space thus allowing for efficient model 
analysis. 



1 Introduction 

The increasing complexity of automation systems, which combine high func- 
tional, real-time and fault-tolerant requirements, demands techniques and tools 
to support design choices and validation phases. Support is needed for the proper 
selection of fault tolerance (FT) mechanisms suited to obtain the required level 
of dependability and for the qualitative and quantitative analysis of sys- 

tem properties. The need for this kind of decision support comes not only from 
the traditional field of safety critical systems, but from mission critical ones 
(like energy production and distribution) where the economic impact of possi- 
ble failures on the production process is very high. The use of formal methods 
for specification and analysis of dependable systems is considered a promising 
opportunity to face with critical issues since the early design phases. 

Stochastic Petri nets can play an important role not only for the specification 
of functional issues of a system, but also for the predictive evaluation of perfor- 
mance and dependability properties. Previous applications of these techniques 

* This work was supported in part by the Italian Ministry for University and Research 
and in part by the Esprit project TIRAN. 
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(e.g., Q) in the plant automation field show that clear, unambiguous and exe- 
cutable specifications, together with automatic tools supporting simulation and 
analysis, allow to better reason on the critical aspects, driving design choices 
and providing a significant contribution to verification and evaluation activities. 
Furthermore, they reduce the risk of system re-design due to late discovery of 
unfulfilled requirements. 

In this paper we investigate the possibility of using a class of high-level 
stochastic Petri Nets known as Stochastic Well-formed Nets (SWN) | as a 
framework for specifying and deriving both qualitative and quantitative proper- 
ties of FT mechanisms used in plant automation. A temporal redundancy tech- 
nique based on a combination of distributed software and dedicated hardware 
components is taken as a case-study. Such a technique is the main component of 
a layered FT architecture, used in several ENElJ plants to deal with transient 
faults. A novel implementation of these FT solutions is foreseen to be 

adopted for the next generation of ENEL automation systems. The experimen- 
tation of SWN techniques carried on by the present work is aimed to provide 
the basis for an evaluation framework to support the development of these new 
FT solutions. 

Among the different proposals of high level extensions of Generalised Stochas- 
tic Petri Nets (GSPN) Q, SWNs offer the possibility to directly generate an 
aggregated state space {symbolic reachability graph or SRG) that preserves all 
the information of the reachability set. From the stochastic point of view, it is 
possible to generate a lumped Markov chain isomorphic to the SRG Q, thus 
reducing the complexity of the analysis of the stochastic process underlying the 
SWN model as well as the discrete-event simulation Q. The SRG construction 
relies on the concept of symbolic marking. Roughly speaking, a symbolic marking 
represents all such markings that can be obtained from each other by admissible 
objects permutations. 

The paper is organised as follows: Sect.^describes the system under investi- 
gation; Sect.^gives an informal presentation of the SWN formalism and outlines 
the technique employed to represent deterministic timing using null constant and 
exponentially distributed random delays; Sect.Jpresents the specification of the 
temporal redundancy mechanism by SWN models. The qualitative analysis of 
the model is then carried out in Sect. H’^^here a preliminary structural analy- 
sis is performed, and in Sect. ^ where the analysis is based on the aggregated 
state space directly generated from the SWN model described in Sect.^ Sect. 
Hdeals with the probabilistic representation of fault processes by SWN models 
and an example of quantitative steady-state analysis of the system with respect 
to different characterisations of fault occurrence is presented in Sect.J Finally, 
Sect.^draws some final remarks and outlines future development of the present 
work. 



ENEL is the main Italian electricity supplier. 
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2 The Temporal Redundancy Technique for Electric 
Plant Automation 

In electric plant automation the main source of faults is the electricity itself: 
electro-magnetic interferences may produce permanent and transient faults af- 
fecting computation, I/O and memory. Since the early 80s, ENEL defined a 
FT architecture based on software and dedicated hardware, initially applied to 
the High Voltage Substation ControllerH^dien widely used for different plants 
and today under a renewing process A number of typical mechanisms 

for error detection, isolation and recovery are provided within the architecture 
whose structure is the following: the application layer, which concerns command, 
control and monitoring of the plant; the support software layer (SSW), which im- 
plements the FT mechanisms providing the application layer with a sort of safe 
virtual machine; the hardware layer, which is composed of a central cabinet (on 
which application and SSW run), I/O units and dedicated devices. 

The core of the FT strategy is represented by the stable memory (SM), a 
storing device exploiting temporal and spatial redundancy, error detection and 
correction techniques, to protect against transient faults affecting input, elabo- 
ration and memory and against permanent faults affecting memory. SM is used 
by SSW to store and stabilise the application internal state. The interaction 
between SSW and the application is realised through a portion of unprotected 
RAM, called exchange RAM (ExRAM), so decoupling the two layers. The inter- 
action of SSW with the SM dedicated boards is realised by means of calls to the 
SM read/write routines. The portion of SSW in charge of managing SM will be 
denoted by SMSW. 

The application is seen as a hierarchical organisation of Mealy and Moore 
automata, the latter representing the interface with the plant. The application 
state, stored in state variables, is represented by the state of all its automata. 
The application is cyclic. Its input at each cycle is represented by its current 
state, fetched from the SM, and input signals, sampled from the field. At the 
end of each computation cycle the application produces a new state (called the 
future state) and commands to be sent to the field. 

SM is physically implemented by two groups of specialised boards, each con- 
trolled by a microprocessor, containing the current (stable) and the future (to 
be stabilised) state of the application, respectively. Analogously, ExRAM is par- 
titioned in two areas (ExRAM_c, ExRAM_f). Each SM group is internally par- 
titioned into a read-only (RO) address space and a write/read (WR) address 
space, accessible by means of read/write operations, respectively. 

The temporal redundancy implemented by the SM requires the application 
to be repeatedly executed a given number of times with the same input and state 
before validating its future state by a voting mechanism. Re-execution of both 
application and SSW is periodically forced by a cyclic hardware restart. When 
the computed future state is confirmed for a number of consecutive cycles, the 
SM groups switch, i.e., the computed future state becomes the current state. 

The WR space of a group is identified with the first position of a circular 
buffer, having three positions. A write operation, which follows an application 
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Fig. 1. SM schema and application cycle 



phase 1: Write(ExRam_f,f-group); 
phase 2: Read(&confl,gl); Read(&conf2,g2); 
if (confl.fiag == conf2.flag) then 

c_group=gl; ExRam_c.flag=confl.fiag; ExRam_f.flag=conf2.flag; 
else 

c_group=g2; ExRam_c.flag=conf2.fiag; ExRam_f.flag=confl.flag; 

endif 

phase 3: Read(&ExRam_c,c_group); 
phase 4: Read(&conf,f_group); 

if (conf.sv==ExRam_f.sv) then 
ExRam_f.flag=not(ExRani_f.flag) ; 

endif 

phase 5: Start_appl(ExRam_c,&ExRamJ'); 



Fig. 2. Pseudo-code of SMSW 



cycle, causes a buffer shift and an equality voting is applied on the buffer posi- 
tions. Positive voting results in copying the contents of the WR space into the 
RO space. The SM schema and an application cycle are depicted in Fig.O The 
structure of the SMSW is illustrated by the pseudo-code of Fig. H it represents 
the sequence of operations executed on the central cabinet unit during a cycle. 
The adopted “two- phases” switch mechanism is pointed out, which relies on com- 
plementing the state ffag of either SM groups, once the computed future state 
has been confirmed. The syntax we adopt for a write is Write(State_conf, Group), 
where State_conf denotes an area of the ExRam containing a state configuration. 
Similarly, the syntax of a read is Read(k,State_conf, Group) . Suffixes and prefixes 
c and / are used instead of “current” and “future” , respectively. 

During phase 1 the configuration stored in ExRam_f is saved in the future 
group. During phase 2 state flags of both groups are read, and copied into the 
ExRam; if they are equal group gl is set as current, otherwise group g2 is set 
as current. In phase 3 the current state is read from the current group and 
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copied into ExRAM_c and in phase 4 the state read from the future group is 
compared with the state stored in ExRAM_f (the previous output) disregarding 
the state flag. If they are equal, the state flag of the future group is comple- 
mented in ExRAM. During last phase the application starts, taking its input 
from ExRam_c, and saving the output into ExRam_f. 

The first goal of this paper is to give a formal specification of the application 
cycle; both the the stable memory hardware and the its interaction with the 
SMSW will be modeled. We assume that the SM hardware devices exploit spatial 
redundancy, error detection and correction techniques, thus these features will 
not be considered. 

3 Stochastic Well- formed Nets 

Stochastic Well-formed Nets (SWN) Q are a high-level extension of Generalised 
Stochastic Petri Nets (GSPN) Q. As in GSPNs, there are two kinds of transi- 
tions: timed transitions, which are associated with a random firing delay with 
a negative exponential probability distribution function, and immediate transi- 
tions, which Are in zero time and with priority over timed ones. We only recall 
that as a result of this time representation, the reduced Reachability Graph of 
a GSPN (SWN) (obtained by deleting the vanishing markings, i.e. the markings 
where at least one immediate transition is enabled), called tangible RG, is iso- 
morphic to a Gontinuous Time Markov Ghain (GTMG). We refer the reader to 
B for a detailed explanation of the timing semantics of GSPNs. 

The definition of a particular syntax to specify colour domains, arc functions 
and predicates forms the basis for an automatic detection of the model sym- 
metries, and of their exploitation in the model solution, through the concept of 
symbolic marking. In the sequel of this section a semi-formal description of the 
SWN formalism is given, referring to | for a formal presentation. 

3.1 The SWN Formalism 

The entities of a system under study are called objects; they are collected in 
pairwise disjoint basic colour classes, that may be ordered if such a relation 
exists among the objects of the class. Golour classes may be partitioned in static 
subclasses; this partitioning is useful when it is necessary to model different 
qualitative and/or quantitative behaviours of objects of the same nature. We 
use the term unitary to denote a static subclasses containing only one object. 

Each place p is associated with a colour domain, denoted as G(p), and defined 
as the Gartesian product Ci x . . . x G„ of (possibly repeated) basic colour classes 
Ci- Places associated with an empty colour domain correspond to places of a non 
coloured Petri Net. 

Each arc, connecting place P and transition t, is labeled by colour functions, 
denoted by /, O, H, depending on the arc type (input, output, inhibition). They 
are defined as weighted formal sums of basic function tuples, {fi, . . . , fk), whose 
arity is equal to C(p) = Ci x . . .xCk- Each fi may be one of the following types: 
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S Ci(sbc) ■ Synchronisation (constant) function: it returns all objects of Ci(sbc), 
where Cn^sbc) denotes a static subclass of Ci. If Ci(sbc) is not specified then 
S returns all objects of colour class Ci. 

X : Identity function (hereafter called variable) : when bound to c S Ci it returns 
the object itself (i.e. x{c) = c). f,y,z,... are also used as variables to denote 
other colour components. 

\x : Successor function: it is defined only on ordered basic colour classes. It 
returns the successor of the object returned by x. The ordering is circular, 
i.e. = X. 

Let V ar{t) denote the set of variables appearing in colour functions labeling the 
arcs from/to transition t. For a given x G Var{t), C{x) denotes the colour class 
whose objects are bound to x. 

A predicate may be associated with transition t (denoted as Pr{t))\ it is 
obtained by combining basic predicates by means of the logical operators V and 
A. A basic predicate may be one of the following types: x = y, x ^ y, x =\y, 
X ^\y, X G C(x)sbc, X ^ C(x)sbc 7 where C(x) = C(y) and C(x)sbc denotes a 
static subclass of C(x). 

An ordinary marking is a function mappiM each place P into a multi-set 
(denoted by a weighted sum) M(p) over C(p).|The initial marking is denoted 
as Mq. Tokens will be denoted by tuples (ci, .., c„) where Ci G C'i, i = 1, . . .n. 

A binding b of the variables of Var{t) to objects of the associated colour 
classes is called a colour instance (c.i.) of t (also denoted by (t,b)). Symbols 
I{p,t){b), 0{p,t){b), and H{p,t){b) denote, for a given c.i. (t,b), and for a given 
input, output, or inhibitor arc connecting the place P to t, the evaluation of the 
corresponding colour function (producing a multi-set over (7(p)). For a given 
marking M, a c.i. (t, b) with the following properties: 

— the predicate on b holds; 

— for each input place P, /(p,t)(6) < M(p); 

— for each inhibitor place P, H{p,t){b) > M{p) 

is said to have concession in M and will be called occurrence mode (o.m.). An 
o.m. is enabled in M 4A it does not exists a higher priority transition that has 
o.m. in M. Let E{M) denote the set of o.m. enabled in M. An o.m. (f, b) G E{M) 
may fire, producing a new marking M' (denoted as M[(t, b))M') such that for 
each place p, M'{p) = M(p) — /(p, t)(6) -I- 0(p,t)(5). A firing (or occurrence) 
sequence is a sequence of markings and o.m. Mi[ei) M^le^) 

The set of all markings reachable form M is denoted by \M) ([Mq) is called 
reachability set). 

A peculiar feature of SWN is the definition of the so called symbolic marking] 
each symbolic marking is an equivalence class of ordinary markings, up to per- 
mutations on basic colour classes preserving the partition into static subclasses. 
Symbolic markings are expressed in terms of dynamic subclasses, which identify 

^ Hereafter the >,< relations, the-|-, — operations, and cardinality will be implicitly 
extended to weighted sums, considering the respective coefficients. 
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possible dynamic partitions of a colour classes. A symbolic firing rule is defined, 
which allows the SRG of a SWN to be directly constructed from the symbolic 
initial marking. The main advantage is that it is possible to directly and auto- 
matically generate an aggregated state space (called symbolic reachability graph 
or SRG) that preserves all the information of the reachability set. From the 
stochastic point of view, the complexity of the solution of the stochastic process 
underlying the SWN model is greatly reduced, as discussed in Q. 

3.2 Graphical Notation 

We adopt the following conventions for the SWN models that will be presented in 
the paper. Place names will be written in small capitals while transition names 
will be written in italic. The top part of each figure depicting a SWN model 
will contain a list of places colour domain and transition predicates; the places 
that do not have an associated colour domain and transitions without predicate 
will not be listed. The notation tt : h drawn near an immediate transition t will 
be used to highlight its priority level and will be used only when h > 2. The 
steady-state throughput of t will be denoted as X{t). 

If there exist one input and one output arc connecting place P and transition 
t such that I{P,t) = 0{p,t) = k, we denote them as test arc and will draw a 
single, double arrowed arc with multiplicity equal to k. Similarly, if there exist 
one input and one inhibitor arc connecting p and t such that H{p, t) = /(p, 
we denote them as flush arc and will draw a single, double arrowed, dotted arc 
with multiplicity equal to k. Multiplicities will be drawn only if fc > 2. 



4 The SWN Model 

The starting point of this work was the existing description of SSW, based on a 
mix of natural language and high-level pseudo-code. Focusing on SM, our first 
aim was to provide a formal specification, by means of a SWN model, of the 
operations executed by SSW on SM boards during a cycle. 

To cope with the layered design of the FT technique, SWNs have been inte- 
grated with a simple, modular approach inspired by the Process/Resource-Box 
(P/R-B) Q modeling technique. The P/R-B allows a step-wise representation 
of both software processes and software/hardware resources. Moreover, in terms 
of P/R-B, the mapping of a process over a resource is obtained by applying 
well-known net operators to box interfaces (in our case, transition fusion). 

We present SM as an available composite resource. The process accessing this 
resource is represented by the composition of SMSW and an abstract application. 
The complete model, here omitted for space reasons, has been obtained by com- 
posing the Resource-box of the SM (given in Sect.^H with the Process-boxes 
of SMSW and of the abstract application (given in Sect. ^3. 

In each sub-model, variables denoted by capital letters occur in arc inscrip- 
tions of transitions belonging to the box interface, representing formal parame- 
ters. The composition of submodels by transition superposition requires a match- 
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ing (colour respecting) of formal parameters appearing in arc inscriptions of 
superposed transitions (Sect. ^3 . 

The colour classes we defined for the SWN model are: GROUP = glU g2, 
is an ordered class partitioned into two unitary static subclasses which identify 
the SM groups. Colour class SV = conf U sO is a non-ordered class partitioned 
into two static subclasses which are the basis of a very effective, “two-state” 
representation of the mechanism. The objects in conf denote different states of 
the application, while sO is used as “refresh” value. Class FLAG = {true, false} 
is used to represent the boolean values assigned to flags. Class ROLE = crU fr 
is non-ordered and partitioned into two unitary static subclasses that represent 
the roles alternatively played by the SM groups (“current” and “future”) and 
the partition of the ExRAM. 

Most of the activities of the system we investigate are reasonably assumed to 
have a constant duration, e.g., reads and writes on memories, while application 
execution times and fault periods may better be modeled using random delays. 
Constant delays, in the system we consider, are multiples of a time unit (the ac- 
cess time to the stable memory is equal to 20ms) therefore, we adopt a modeling 
approach based on the use of only one exponential transition that models a sys- 
tem clock, and an arbitrary number of immediate transitions that represent the 
system operations. More details on this approach, adopted in context of ATM 
communication networks modeling, can be found, for instance, in 3,3,Q. 

The firing of the clock transition (that will be named Olock) deposits one 
token into a non-coloured place (named time) thus modeling the progression 
of system time. The number of tokens in place time represents the time units 
elapsed since the starting of an application cycle (since in our model a time 
unit is taken to be equal to 20ms, M(time) = d => d • 20 milliseconds have 
elapsed). The number of tokens in place time does not grow unboundedly. Its 
content is emptied by the firing of any transition representing the end of a 
cycle, corresponding to phase 5 of the pseudo-code sequence. This mechanism is 
modeled by connecting these transitions to place time through a flush arc with 
the appropriate multiplicity. 

Transitions that represent phases in the SMSW pseudo-code are allowed to 
fire only at well defined time instants, in accordance to the represented phase 
position in the pseudo-code sequence. To achieve this, some of the model tran- 
sitions have test arc connections with place time whose multiplicity reflects the 
time units that must elapse before the corresponding activity may take place, 
since the beginning of a cycle. 

4.1 The Model of the Stable Memory Hardware 

The model of the hardware of the SM is depicted in Fig. 3 Both SM read/write 
and voting operations are represented as atomic by means of single transitions. 
The time taken by the voting procedure, reflecting its actual complexity, is ex- 
pressed by the multiplicity of the test arc connection between place time and 
transition Vote. For the remaining transitions of Fig. 3 the multiplicity of the 
test connection with the place time is left unexpressed. In fact they represent 
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C(wr) = GROUP X SL X FLAG x SL x FLAG x SV x FLAG PAVote)^ If U y x] 
C(Ro) = GROUP X SL X FLAG 
C(fs) = GROUP 




Fig. 3. Stable Memory hardware model 



I/O routines called by SMSW, and they will be superposed with corresponding 
transitions of its Process-box. 

Place WR models the WR space of a SM group, identified with the circular 
buffer. A pair SV x FLAG of the place colour domain represents a state config- 
uration, which contains a flag (called state flag) used for switching the system. 
Place RO models the RO space of a SM group while place fs identifies the group 
on which the voting operation is executed. 

Transition Write represents a write operation on the first position of the 
WR circular buffer, and the buffer shift. The formal parameter G identifies the 
group on which the operation is executed, while the pair of formal parameters 
{X, F) represents the state configuration that is saved. Transition Read models 
a read operation from the RO address space of the group G. The read configura- 
tion is represented by the pair of variables {x, f). Transition Read2 represents a 
sequence of read operations from the RO spaces of both groups. The read config- 
urations are represented by the pairs of variables (a;, /I), and (y, /2). It has been 
introduced to keep as simple as possible the composition with the SMSW model. 
Transition Vote models a successful voting operation in a SM group (identified 
by g). The firing of this transition copies the configuration (a;, /) stored in the 
RW space to the RO space. 



4.2 The Model of the Stable Memory Support Software 

The model of the SMSW is depicted in Fig.J The cyclic structure of the net 
represents the periodic restart mechanism. The system timing, based on counting 
not maskable interrupts periodically generated by a dedicated board, is simulated 
by the adopted clock-based approach. 
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The set {savefs, identifycs, copycs, comparefs, beginappl, endappl} 
(denoted as CF) represents the control flow of the above sequence. The to- 
ken traversing them, referred to by the variable g, denotes the “current” SM 
group. Place exramf represents the copy of the SM state flags in ExRAM. 
Place EXRAMSV represents the copy of the state variables in ExRAM. We use 
the auxiliary place CKAPP to model the duration of the application. 

Transitions are grouped into sets and each set corresponds to a phase of 
the pseudo-code sequence. Occurrence modes of different transitions in a set are 
in mutual exclusion. Transition Writefs represents phase 1 of the pseudo-code 
sequence. Arc inscription g is related to parameter c_group while arc inscriptions 
X, f are in correspondence to ExRam_f. Transitions Idecurrl and Idecurr2 
describe phase 2 of the pseudo-code sequence. Arc inscription FI corresponds to 



C(ENDAPPL) = GROUP PT{Readfsnoc) = [X ^ y] 

C(BEGINAPPL) = GROUP PT{Readfsyesc) = [X = y A f 2 ^ /3] 

C(SAVEFS) = GROUP Pr(/ffect/rrl) = [Fl = F2] 

C(IDENTIFYCS) = GROUP Pt{I decurr2) = [Fl ^ F2] 

(7 (copycs) = GROU P Px{Applicatio'n}] = [x € conf A z €. conf A x ^ z] 

C (comparefs) = GROUP 
cJexramf) = ROLE x FLAG 




Fig. 4. SMSW and application model 
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confl.flag and F2 corresponds to con f2. flag. Transition Readcs models phase 
3 of the pseudo-code sequence. Arc inscription g is related to c_group and X 
corresponds to ExRam_c. Transitions Readfsyesc and Readfsnoc describe phase 
4. Arc inscription g corresponds to parameter c_group, X corresponds to conf.sv 
and y is related to ExRam_f.sv. The following set models the duration of the 
application: {Keep_app, Elush_app,Appl20,Appl40,Appl60,Appl80,Timeout}. 
Transition Application models a correct computation, which is by convention 
represented changing the input state from x to z, as specified by the associated 
predicate (z is fixed, since | conf |= 2); it represents also the restart of the 
sequence. 

In the following, we use sic to denote any transition sequence corresponding 
to a cycle, i.e. sic is the set family: 

{Writefs, (Idecurrl, Idecurr2), Readcs, {Readf syesc, Readfsnoc), 
{Appl20, ApplAQ, Appl&Q, Appl8Q, Timeout), Application} 

where alternatives are delimited by round brackets. The set of all transitions 
appearing in sic will be denoted by SLC. 



4.3 The Sub-models Composition 

The complete model is obtained by superposing the following transition pairs, 
where the first transition refers to the Fig.^ while the second one refers to the 
Fig.J Substitution of formal parameters with actual functions is listed between 
square brackets: 



Read x Readcs [G \ g,X \ x] 

Read x Readfsyesc [G \\g, X ■. x] 

Read x Readfsnoc [G \ \g, X : x] 
Read2 x Idecurrl [FI : f I, F2: f2] 
Read2 x Idecurr2 [FI : fl,F2: f2] 
Write X WriteSV [G dg, X ■. x,F ■. f] 



Notice that !g denotes the “future” group, GROUP being an ordered class of two 
elements. We assume that transitions resulting from the composition maintain 
the names of Fig. J 



5 Model Validation by Structural Analysis 

Structural analysis is a useful approach for a preliminary model validation. Even 
if less complete than state space inspection, it proves to be necessary when state 
space dimensions are so large that its inspection is unfeasible. In this context, a 
simple structural analysis is carried out to detect basic model properties. Such 
properties are maintained when a fault representation is introduced (Sect.H, 
which makes impossible the SRG inspection, while preserving the original system 
structure. More complex qualitative properties of the represented mechanism will 
be derived by inspection of the SRG of the model without fault representation. 



SWN Nets for the Specification and the Analysis of FT Techniques 179 



Let Ui : Bag{C\ x . . . x Ck) — *■ Bag{Ci), 1 < i < k, he the bag extension of 
the projection on the i-th class. For each M £ [Mq), the following relations hold 
(we assume that relations (l)-(4) hold in the initial marking): 



(EpeCF I AF(P) I) = 1 (1) 

7Ti(M(ro)) = 7Ti(M(wr)) = 1 • 5I + 1 • 52 ( 2 ) 

7Ti(M(exramf)) = 7Ti(M(exramsv)) = 1 • cr + 1 • /r (3) 

I M(fs) 1 = 1 (4) 

Vt,3!(t,5) :Vp,/(p,t)(6) <M(p) (5) 

V {t, h), {f, b'),t^ t', t, t' G SLC : {t, b) £ E{M) =» {f , b') ^ E{M) (6) 
3M' £ \M) ,{t,b),t€ SLC, : (t,b) G E(M') (7) 



Relations (1) and (4) hold since (X^pgCF ^ ^ semi-flows of the 

decoloured model, obtained by replacing colour functions with the corresponding 
cardinalities (which are colour independent), and by deleting transition predi- 
cates. Relations (2) and (3) hold since Vt,Vp £ {ro, WR, exramf, exramsv} : 
7Ti(0(p, — t)) = /0 (/0 is the null constant function on multisets). Relation 

(1) represents the control flow of SMSW while relations (2) and (3) reflect the 
partition of SM and of ExRAM. Starting from relations (1) — (4), some further 
results concerning liveness and mutual exclusion (5)-(7) were obtained (proofs 
are omitted for lack of space). We may summarise the previous results saying 
that from any marking, exactly one o.m. (t, b) representing a cycle operation 
becomes eventually enabled. As a consequence, the net is live with respect to 
SLC. This reflects some features of the represented system, which is cyclic, fully 
deterministic, not blocking, and which evolves irrespective of faults. 

Other results have been derived from the previous ones, e.g. absence of loops 
of o.m. of immediate transitions (trapping the model), and net boundedness for 
any Mq. 

6 Qualitative Analysis Based on SRG 

In this section we analyze the system behaviour by inspecting the SRG generated 
by our model. For this purpose, we assume that the transition Vote in Fig. 
Qis split into two transitions whose o.m. are in structural mutual exclusion: 
Voteyesc {Pr{V oteyesc) = [/ yf /!]) and V otenoc {Pr{Votenoc) = [/ = /I A 
y a:]). The split is done by rewriting Pr{Vote) = [/ y^ /I V ?/ y^ a;] in an 
exclusive form {A \/ B = A \/ (AAR)). Itis easy to verify that the split 
results in an equivalent model, i.e. VM : {V ote,b) £ E{M) {Voteyesc, bi) £ 
E{M) ex or {V otenoc, b 2 ) £ E{M), where 6 , 61,62 are the same binding (up to 
renaming) . 

These transitions represent the two phases of the SM switch: Voteyesc models 
an actual switch of the SM groups, realised by complementing the state flag of 
the “future” group; V otenoc models the first step of the SM switch, where the 
computed state, confirmed for a number of consecutive cycles, is copied from the 
WR space to the RO space of the “future” group. 
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a) b) 



Fig. 5. SRG structures of the complete model 



Let ofcO, ofcl and 50, 51 denote unitary dynamic subclasses of the static 
subclasses conf and the class FLAG, respectively. The symbolic initial marking 
of the whole model is: 

Mo(wr) = (S', ofcl, 50, ofcl, 50, ofcl, 50), Mo(ro) = (S, ofcl, 50), Mo(fs) = {g2) 
Mo(exramsv) = (S, ofcl), Mo(exramf) = (S, 50), Mo(savefs) = (gl). 

The symbolic marking Mq, which corresponds to four (| conf \ x | FLAG |) 
ordinary markings, denotes a starting configuration where the storing areas are 
initialised in the same way. For example, Mo(exramf) corresponds to both 
(S, true) and (S, false). The SRG generated by Mq, whose cardinality is equal 
to 459 symbolic markings, is sketched in Fig. Hi. The following conventions are 
used: Mi denotes a symbolic marking such that Mo[si ) . . . Mi-i[si)Mi, where 
Sfc (1 < fc < z) is a symbolic firing sequence corresponding to a SM cycle (i.e. 
the support of Sk restricted to transitions in SLG has the form 1 -t). An arc 
from Mi to Mj means that Mi[si)Mj for any Si, and represents the folding of 
all the possible paths from Mi to Mj, corresponding to different durations of a 
SM cycle. Hereafter, this will be simply denoted by Mi Mj. For the sake of 
readability arcs are not labeled. Finally, Mi* means that the marking of place 
FS and/or RO, on which we focus, has changed with respect to Mi . 

Some general remarks about the SRG structures: Mq, . . . , M 4 are not home 
markings; there is only one strongly connected component (a maximal subgraph 
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where all nodes are reachable from each other and that will be denoted as SCC) 
composed by elements that are home markings. That is to say, the system, after a 
transient phase, reaches its steady-state behaviour (consequently, a steady-state 
solution exists for the MC isomorphic to SRG). Denoting with a,/3 arbitrary 
conditions on place markings, we consider this progress property : a i — > (3 
for all possible finite or infinite occurrence sequences <t, such that Mq[u), each 
state where a holds is followed by, or is itself, a state where (3 holds. The following 
properties hold, related to the marking of place RO (x, y denote any object of 
the class S']/) 

(gl, ofcl, 50) -I- (g2, x, 50) i — > (gl, y, 50) -I- (g2, ofcO, 51) (8) 

(5I, X, bO) + {g2, ofcO, 51) 1 — > {gl, ofcl, 51) -fi {g2, y, 51) (9) 

Properties (8) and (9) state that, starting from any configuration, the SM groups 
eventually switch in the correct way. The previous result may be refined by 
computing the number of cycles for a SM switch {NSC), which characterises 
the mechanism (the effect of faults on this index will be studied in Sect. H. 
NSC is given by the length of the shortest path between two nodes Mi, Mj of 
Fig.^corresponding to consecutive SM switches. We have to consider only SCC, 
since we are interested in the steady state behaviour. Formally, let Mi,Mj be 
nodes such that 

iT3(M,(RO)) ^7T3 (M,(ro)), 

WMi : {Ml ^ M,) => (7T3(M,(ro)) ^ 7T3(M;(ro))) 

3n markings Mk^ . . . Mk„ , Mi Mk-, ■ ■ ■ Mk,^ Mj : 

'^kUMk^ ^ M,{M,) A 7T3(M,(ro)) = 7T3(Mfc„(RO)) 

then NSC is equal to n -I- 1. On the light of the two-phase SM switch, NSC is 
expected to be > 6. Quite surprisingly, NCS turns out to be equal to five in the 
SRG in Fig.^i), i.e. the distance between M5 and Miq. This unexpected result 
is due to the simplified, two-state representation of SM: after a SM switch, the 
new output of the application is equal to the state stored in the RO space of the 
new “future” group of SM. Therefore, the state flag is early complemented, and 
SM switches in less than six cycles. 

This points out a subtle anomaly of the mechanism: in case of a computa- 
tional sequence .. .Si ^ Sj ^ Si, where Si Sj denotes a SM switch, with 
the computation output taken as the new input, the above situation takes place. 
In other words, the temporal window protected against faults lasts five cycles. 
If a fault occurs which affects the computation for a time period longer than 
five cycles, an erroneous SM switch may occur. However, because of the very 
high number of actual SM configurations, the probability of such an event is 
negligible. 

To represent a more realistic system behaviour it is sufficient to modify the 
I/O functions of the transition Voteyesc, which models a SM switch, as de- 
scribed in Fig.H(where the transition is split, for the quantitative analysis). An 
occurrence of the modified transition V oteyesc corresponds to reset the WR and 
RO areas of the new future group (by means of the constant sO), thus modelling 
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that after any SM switch the computed state is different from the one stored in 
the RO space of the new future group 

The structural properties of Sect.^are preserved. The SRG generated after 
this change is sketched in Fig.^^)- The general properties about home markings 
and strongly connected components as well as properties (8) and (9) still hold. 
Instead, NSC turns out to be equal to eight, corresponding to the distance 
between Miq and Mig. This result can be explained in the following way: the 
considerable duration of the voting operation in the SM boards causes a delay of 
one cycle in both phases of the SM switch. Thus the data read from the future 
group during the fourth phase of a cycle (see the pseudo-code of Fig.fl result 
from a voting carried out during the previous cycle. 

Considering the arc from Mg to Mio in Fig.^> we may refine the previous 
result. It may be observed that a cycle is spent, since the contents of the RO space 
change until the switch of the SM groups actually takes place. In other words, the 
number of cycles for SM switch is equal to eight, but the eighth computation 
may be different from the previous ones, i.e. the system is protected against 
faults having a duration up to seven cycles. 

Other interesting outcomes derived by the analysis of SRG in Fig.^) concern 
a characterisation of the two phases of the SM switch. For instance, we have 
derived that a faulty computation is less expensive in the second phase (in terms 
of NSC), than in the first phase. This kind of analysis revealed to be very 
useful for a deep characterisation of the mechanism, allowing several hidden 
aspects and weak points to be pointed out. The current efforts of (re)designing 
a more efficient and flexible SM version (see which relies on exploiting 

the redundancies intrinsic in distributed architectures, take into account some 
of these outcome. 

7 The Fault Representation 

In this section the net in Fig. His refined and integrated with a probabilistic rep- 
resentation of transient faults, based on a flexible Markov-Modulated Bernoulli 
Process (MMBP). The aim is to study the sensitivity of the temporal redundancy 
technique with respect to different characterisations of the fault process. 

On one side, such an approach fits in with the first aim of this work, i.e. prov- 
ing the viability of the SWN modeling technique. On the other side, it is coherent 
with the randomness of the main parameter characterising electromagnetic per- 
turbations, i.e. the frequency. However, a more precise and timely description of 
the fault process (e.g. in terms of magnitude and duration) could be possible, 
acting on the parameters of the Markov Modulating model. The fault model is 
coupled with the system model by means of the place erroccur, which signals 
that a transient fault occurred during a cycle, affecting the computed state. In 
order to represent such a wrong computation, the transition Applerr in Fig. | 
was introduced, which may be enabled only when place ERROCCUR is marked. 
Transitions Application and Applerr are mutually exclusive. The convention we 
adopt is that a wrong computation does not change the input state (the variable 
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T(exramsv) = ROLE x SV Pi(Appterr) = [x £ conf] 

T(endappl) = GROU P PT(Applicaiion] = [x G conf A z ^ conf A x zf z\ 




Fig. 6. Fault model with Markov-modulated fault process 



z is set equal to x in arc functions from/ to place exramsv). Some comments 
have to be made on this approach: 1) It allows the system model to be kept 
unchanged independently of the representation of fault occurrence; 2) represent- 
ing only the final effect of transient fault is coherent with the adopted restart 
mechanism, which confines the effect of a fault to a single cycle, preventing at 
the same time the state space explosion; 3) it corresponds to the pessimistic, 
but realistic, assumptions that fault occurring for a number of consecutive cy- 
cles have the same effect, and that the system is fault sensitive at any instant 
of a cycle; 4) multiple occurrences of faults in a single cycle are not taken into 
account (place erroccur is always marked by at most one token), as well as 
faults affecting the state flag (this is a reasonable assumption, because of the 
very large number of bits forming a state configuration) . 

The MMBP fault process can be either on (place faulton is marked) or 
ojf (place FAULTOFF is marked). If the fault process is on, the four transi- 
tions On_on_fault, On_on_no_fault, On_of f _fault, and Onjof f _no_ fault are 
enabled after the firing of transition Clock. When the fault is in the on state an 
occurrence may happen with probability p. On the contrary, when the fault pro- 
cess is off transitions Offjon, and Offjoff are enabled and no fault can occur. 
The firing of transition On_on_fault {On_off_fault) models the occurrence of a 
fault and the fault process that remains in the on state (changes to the off state) . 
The fault occurrence on and off periods are geometrically distributed random 
variables, whose averages are the inverses of the probabilities 1 — P(pn — on) 
and 1 — P{off — off). The fault activity factor (AF) is defined to be the ratio 
between the average on period duration and the sum of the average on and off 
period durations; with trivial algebra we get: AF = ^ ^_p^^^]Ton) ] + [ iyp(i]f-off)\ ■ 
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C(wr) = GROUP X SV X FLAG x SV x FLAG x SV x FLAG P-r(Votenoc)^ [/ = /I A y ar] 
C(ro) = GROUP X SV X FLAG V^(V oteyescoh)= [/ /] A ar z] 

C(fs) = GROUP V^(Voteyescko)^ [f ^ /] A ar = z] 




The average fault load factor is defined as p = p AF and the average hurst size 
is BS = p/1 — P(pn — on). The fault occurrence interarrival times during the on 
periods are geometrically distributed random variables, with average 1/(1 —p). 

A further minor modification of the model can lead to the representation of 
Bernoulli fault process. This is achieved by deleting transitions On_of f _fault, 
On_off_no_fault, Offjon, and Off_off and places faulton, and faultoff 
from the model of Fig. H 

To suitably analyze the complete model with faults, the transition V oteyesc is 
split into two mutually exclusive transitions, V oteyescok, V oteyescko, by rewrit- 
ing the corresponding predicate in an exclusive form (the resulting equivalent 
model is depicted in Fig.^. These transitions represent a correct SM switch 
and a SM switch caused by a number of consecutive faulty computations, re- 
spectively, depending on whether the state which is being confirmed (denoted 
by the variable x) is different from the (old) input state (denoted by z) or not. 
This is in accordance with the adopted convention. 

8 Quantitative Analysis: Selected Numerical Results 

As an example of the numerical results that can be obtained with the SWN 
model, we present some curves of selected performance indices, and we com- 
ment on the complexity of the solution of the SWN model. The discussion of 
numerical results aims at proving the viability of the proposed SWN modeling 
approach, not at a complete characterisation of the steady-state performance of 
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the temporal redundancy technique, which is outside the scope of this paper. All 
numerical results were obtained with the GreatSPN package Q. In the presenta- 
tion of numerical results we focus on two performance indices: the mean number 
of cycles for SM switch (NSC), defined as ^^teyelcok) > erroneous SM 

switch probability {PER), defined as ^x(Votev^ell%7xTvoteYescok)) - 

In order to validate the behaviour of the SWN model we computed the value 
of the performance index NSC in the case of an ideal scenario characterised by 
the absence of faults. The obtained value is equal to eight which is the same 
value derived in Sect. Hand thus represents a lower bound for the NSC index. 
Numerical results are presented in the four graphs of Fig.J that show the NSC 
(top), and the PER (bottom) as functions of the fault load factor p. The left 
column presents several curves for a fixed value of the BS parameter (128) of the 
MMBP fault process and different values of the AE parameter, while the right 
column refers to a fixed value of the AE parameter (0.3) for different values of 
the BS parameter. 

NSC NSC 






Fig. 8. Mean number of cycles for SM switch ( top ) , Erroneous SM switch prob- 
ability (bottom), as functions of the fault load factor, for either variable AF 
parameter (left) or BS (right) 
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The observation of the numerical results leads to a number of remarks. As 
expected, the NSC curves show increasing index values as the fault load factor 
increases; the same holds for the PER values. The NSC assumes higher values 
under the hypothesis of Bernoulli fault process, while under the assumption of 
MMBP fault process the lower the AF parameter the lower the NSC values. For 
a fixed value of the AF parameter, the NSC values are virtually insensitive to 
the values of the BS parameter (32, 64, and 128). This phenomenon is explained 
observing that low values of AF translate into long periods of correct functioning 
characterised by the lower bound for the NSC value that has been previously 
computed. Therefore, the lower the AF the longer the correctly working periods 
which yield lower values for NSC. 

On the contrary, the PER index assumes the higher values under the as- 
sumption of MMBP fault process. This is explained observing that erroneous 
SM switches occur when consecutive cycles compute the same (wrong) value. 
Therefore, a highly correlated fault process, as the MMBP we consider in this 
paper, results in a higher number of consecutive faults which increase the PER 
values compared with the results we obtain under the assumption of a poorly 
correlated Bernoulli fault process. 

As a final remark, the number of symbolic states generated by the model is 
quite low: we obtain 21, 090 and 42, 178 in case of Bernoulli fault process and 
MMBP fault process, respectively. 

9 Conclusions, Future Works, and Exploitation 

The possibility of using the class of SWN as a framework for specifying and 
deriving both qualitative and quantitative properties of FT mechanisms used 
in electric plant automation was proposed. The adopted modelling approach is 
based on the use of just one timed transition that models the system clock, and 
numerous immediate transitions that describe the system operations. A tempo- 
ral redundancy technique adopted in several ENEL plants to deal with transient 
faults has been taken as a case-study. As a first step, the mechanism has been 
specified and analysed in fault-free conditions. The model has been validated 
and analysed by carrying out its structural analysis as well as the symbolic state 
space based analysis. Then, a probabilistic fault representation has been intro- 
duced and discussed, and an example of quantitative analysis has been carried 
out to study the sensitivity of mechanism performances with respect to different 
characterisations of fault occurrence. The analysis/ validation through symbolic 
state space inspection has lead to a better understanding of the mechanism 
implementation, outlining some interesting unexpected behaviours. The prelim- 
inary results currently obtained from the quantitative analysis are promising 
and deserve further investigation taking into account steady-state and transient 
model analysis as well as different characterisations of the fault process. The goal 
is to obtain a deep characterisation of SM by estimating well known metrics like 
MTBF, MTTF, etc. under given environmental conditions. After this wide spec- 
trum pilot experience, the specification and evaluation technique here proposed 
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has been adopted within the ESPRIT project 28620 TIRAN as a support 
driving novel software implementations of the SM and of a complete FT frame- 
work developed for real-time embedded applications. The authors are confident 
that the wide exploitation and dissemination guaranteed by the TIRAN project 
will favour a significant penetration of SWN in the industrial environment. 
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Abstract. In this paper we discuss a methodology for monitoring fail- 
ures and other activity in discrete event systems that are described by 
Petri nets. Our method is based on embedding the given Petri net model 
in a larger Petri net that retains the functionality and properties of the 
given one, perhaps in a non-separate (that is, not immediately identi- 
fiable) way. This redundant Petri net embedding introduces “structured 
redundancy” that can be used to facilitate fault detection, identifica- 
tion and correction, or to offer increased capabilities for monitoring and 
control. We focus primarily on separate embeddings in which the func- 
tionality of the original Petri net is retained in its exact form. Using 
these embeddings, we construct monitors that operate concurrently with 
the original system and allow us to detect and identify different types 
of failures by performing consistency checks between the state of the 
original Petri net and that of the monitor. The methods that we pro- 
pose are attractive because the resulting monitors are robust to failures, 
they may not require explicit acknowledgments from each activity, and 
their construction is systematic and easily adaptable to restrictions in 
the available information. We also discuss briefly how to construct non- 
separate Petri net embeddings. 



1 Introduction 



In this paper we present a systematic methodology for providing monitoring ca- 
pabilities to a given Petri net. Our approach consists of embedding the original 
Petri net in a redundant one (with more places, tokens and/or transitions) in a 
way that preserves the state, evolution and properties of the original Petri net 
in some encoded forn| We develop systematic ways of constructing monitoring 
schemes by focusing on the class of separate Petri net embeddings; these embed- 
dings retain the functionality of the original system, but use additional places 
and tokens in order to impose invariant conditions that serve as consistency 
checks. The monitors operate concurrently with the original system and take 
actions based on the activity in the original system. By performing linear checks 
on the combined marking (state) of the original system and the monitor, the 
detecting mechanism is able to locate and identify failures in the overall system. 



^ These ideas are extensions of the algebraic techniques that were developed in | 
for protecting group/semigroup operations. 



S. Donatelli, J. Kleijn (Eds.): ICATPN’99, LNCS 1639, pp. 188-^^^ 1999. 
(c) Springer-Verlag Berlin Heidelberg 1999 
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Our constructions automatically point out the additional connections that are 
necessary in order to allow fault monitoring. Furthermore, they can be adapted 
to incorporate changes in the configuration of the original system or to impose 
restrictions in the information that is available to the monitors (e.g. in cases 
where information about activity in parts of the system may be unavailable or 
corrupted) . 

The paper is organized as follows. In Sectionjwe discuss the different types 
of failures that we will be protecting against. In Section Jwe construct schemes 
for failure detection and identification in Petri nets using separate redundant 
embeddings and in Section Jwe discuss more general Petri net embeddings. In 
Section H we describe how our embeddings can be used to facilitate control or 
detect illegal behavior in discrete event systems. 

2 Fault Models 

Let 5 be a Petri net with n places (pi, p 2 , ■■■, Pn) and m transitions (ti, t 2 , 
..., tm)- Let denote the integer weight of the arc from place pi to transition 
tj, and bfj denote the integer weight of the arc from transition tj to place pi 
and define B“ = [6“] (respectively, B+ = [bfj]) to be the n x m matrix with 
b~j (respectively, bfj) at its ith row, _)th column position. The state evolution of 
Petri net S is given by 

q[fc + 1] = q[fc] + (B+ - B^)x[fc] (1) 

= q[fc] + Bx[fc] , (2) 

where B = B+ — B~ and q[fc] is the state (marking) of the Petri net at time 
epoch k (i.e. the number of tokens in each of its places), The input x[fc] in the 
above description is restricted to have exactly one non-zero entry with value 1. 
When x[fc] = Xj = [O • • • 1 • • • O] (the 1 being at the jth position), transition 
tj fires (j is in {1,2,..., m}). Note that transition tj is enabled at time epoch k 
if and only if q[fc] > B^(:, j) (where B^(:, j) denotes the jth column of B^ and 
the inequality is taken element-wise). A pure Petri net is one in which no place 
serves as both an input and an output for the same transition (i.e. only one of 
bfj and b~j can be non-zero). The Petri net in FigureJ(with the indicated B+ 
and B~ matrices) is a pure Petri net. 

Petri nets are a graphical and mathematical model for a variety of discrete 
event systems (DBS’s) including information and processing systems, Due 
to their power and flexibility, Petri nets are particularly relevant to the study of 
concurrent, asynchronous, distributed, nondeterministic, and/or stochastic sys- 
tems, The extended spectrum of applications, their size and distributed 

nature, and the diverse implementations involved in modern Petri nets necessi- 
tate elaborate control, fault detection and recovery mechanisms. 

We discuss three different error models which allow us to abstract away from 
the particulars of an implementation and the failures associated with it. Based 
on these error models, we develop a very general approach to fault tolerance. The 
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'0 1 r 
1 0 0 
.10 0 . 

'2 0 0 ‘ 
0 1 0 
0 0 1 



Fig. 1. A Petri net with three places and three transitions. 



price that we pay for this generality is the fact that, given a particular system 
and the corresponding Petri net model, we need to ensure that our error model 
effectively captures the expected failures. 

— A transition failure models a fault in the implementation of a certain tran- 
sition. We say that transition tj has a postcondition failure if no tokens are 
deposited to its output places (even though tokens from the input places 
have been used). Similarly, we say that transition tj has a precondition fail- 
ure if the tokens that are supposed to be removed from the input places of 
the faulty transition are not removed (even though tokens are deposited at 
the corresponding output places). In terms of the state evolution in eq. Q, 
a failure at transition tj corresponds to transition tj firing, but its precondi- 
tions (given by the jth column of B~, B^(:, j)) or its postconditions (given 
by B+(:, j)) not taking effec^ 

— A place failure models faults that corrupt the number of tokens in a single 
place of the Petri net. In terms of eq. Q, a place failure at time epoch k 
causes the value of a single variable in the state vector q[fc] to be incorrect. 
This error model is suitable for Petri nets that represent computational sys- 
tems or finite state machines (e.g. single-bit errors corrupt a single place in 
the Petri net). It has appeared in earlier work that dealt with fault detection 
in pure Petri nets, 

— The additive failure model is based on explicitly enumerating all faults that 
we would like to be able to detect or protect against. The error is then 
modeled by its additive effect on the state vector q[fc] of the Petri net. In 
particular, if fault f{i) takes place at time epoch fc, then q/[fc] = q[fc] +e/(i) 
where q/[fc] is the faulty state of the Petri net and is the additive effect 
of fault /(z). If we can find a priori the additive effect for each fault 
/(z) that we would like to protect against, then we can define an n x I error 
matrix E = [e/(i) |ej(2) |’ ’ ’|®/(o]i where I is the total number of different 

^ A fault in which both the preconditions and the postconditions are not executed is 
indistinguishable from the transition not taking place at all. The motivation for the 
transition failure error model came from although the faults mentioned there are 
captured best by place failures. 
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failures expected. Based on the matrix E, we can construct embeddings to 
protect our Petri net. 

The additive error model captures both transition and place failures: 

— The additive effect of a precondition failure in transition tj is captured by the 
error vector = B^(:, j). Similarly, the additive effect of a postcondition 

failure in tj is captured by the additive error vector = — B+(:, j). 

— The corruption of the number of tokens in place pi is captured by the additive 
error vector Op(i) = cx[0---l---0] , where c is an integer that denotes 
the number of tokens that have been added and the only non-zero entry of 
vector [O • • • 1 • • • O] appears at the ith position. 

The additive error model can also capture the effects of multiple independent 
additive failures (i.e. failures whose additive effects do not depend on whether 
the other failures have taken place or not). For example, a precondition failure 
at transition tj and an independent failure at place pi will result in the additive 
error vector + ep(^)). 

Note that both the additive and place failure error models are capable of 
modeling any failure that results in the corruption of the number of tokens in 
certain places of a given Petri net. For example, a failure that corrupts the 
number of tokens in three places can be seen as three simultaneous place errors 
or as one additive error (associated explicitly with the effects of this failure). 
As in all modeling problems, the goal when choosing a particular error model 
should be to capture the effects of the underlying physical causes while at the 
same time allowing easy algebraic manipulation. 

Example 1: Consider the Petri net in Figure H K could be the model of a 
distributed processing network or of a flexible manufacturing system. Transition 
t2 models a process that takes as input two data packets (or two raw products) 
from place p2 and produces two different data packets (or intermediate products) , 
one of each being deposited to places p^ and p^. Processes t^ and t^ take their 
corresponding input packets (from places p^ and p4, respectively) to produce 
the final data packets (or final products) . Note that processes t^ and ^4 can take 
effect concurrently. Once done, they return separate acknowledgments to places 
P5 and pe so that process ^2 can be enabled again. Transition ti models the 
external input to the system and is always enabled. The marking of the Petri 
net shown in Figure His given by q[ 0 ] = [2 2 0 0 1 l] ; only transitions ti and 
t2 are enabled. 

If the process modeled by transition t2 fails to execute its postconditions, 
tokens will be removed from input places p2, Pb and pe, but no tokens will be 
deposited at output places p^ and p4. The faulty state of the Petri net will be 

qy[l] =[20000 0]^. 

If process ^2 fails to execute its preconditions, then tokens will appear at the 
output places ps and p4 but no tokens will be removed from the input places p2, 
P5 and pq. The faulty state of the Petri net will be q/[l] = [2 2 1 1 1 l] . 
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ts 




Fig. 2. A Petri net model of a distributed processing system. 



If process t 2 executes correctly but there is a failure at place p 4 , then the 
resulting state will be of the form q/[l] = [2 0 1 1+c 0 O] ; the number of 
tokens at place p 4 has been corrupted by c. □ 

3 Monitoring Schemes 

3.1 Separate Redundant Embeddings 

We begin our study of redundant embeddings for Petri nets by considering sepa- 
rate embedding^ The resulting monitors operate concurrently with the original 
system and are driven by the same input, i.e. are based on information about 
which transitions fire in the original system. By performing a check on the com- 
bined marking of the original system and the monitor, the detecting mechanism 
is able to locate and identify failures in the overall system. We develop systematic 
constructions that are based on linear checks (which makes them easily adapt- 
able to changes in the configuration or the initial marking of the original Petri 
net). Furthermore, our schemes can be applied to systems where certain infor- 
mation is unavailable (e.g. when no connections are available from a particular 
place or transition). The alternative to our construction could be an analysis 
that is based on identifying invalid states (i.e. states reached only when a tran- 
sition or a place fails) and then identifies the failure that has caused the Petri 
net to reach this invalid state. Our approach avoids this complicated reachability 
analysis, automatically points out additional connections that are necessary, and 
results in monitors that are robust to communication failures. 

Definition 1: A separate redundant embedding for Petri net S (with n places, 
m transitions, state vector q[-] and state evolution as in eq. fl) is a Petri net 

® In Sectionjwe study a more general class of Petri net embeddings (which actually 
includes separate redundant embeddings as a special case). The reason we choose to 
present separate embeddings first is because they are easier to describe and because, 
unlike non-separate schemes, they can be applied to systems whose original structure 
(and the associated Petri net model) cannot be changed. Non-separate embeddings 
on the other hand may require changes in the structure of the original systems. 
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Ti. (with rj = n + d, d>0 places and m transitions) that 



qh[k+ l] = qh[k] + B'''x[k]- B x 


[k] 


= q/i [k] + 


B+ 


x[fc] - 


B- 


X+ 


X 



has state evolution 
x[fc] , (3) 



and whose state vector is given 

<ih[k] = 



In 

C 



q[fc] 



for all time epochs k. In addition, we require that for any initial marking (state) 
q[0] for S, Petri net Ti, (with initial state q?t[0] = Gq[0]) admits all firing tran- 
sition sequences that are allowed in S (under initial state q[0]). □ 



Note that the functionality of Petri net S remains intact within the redundant 
Petri net embedding Ti.. Matrix G is referred to as the encoding matrix. All valid 
states (\h\k] in Ti, have to lie within the column space of G; furthermore, there 
exists a parity check matrix P = [~C I^] such that Pqh[fc] = 0 for all k (under 
fault-free conditions). Since Ti. is a Petri net, matrices X+ and X“ and state 
vector c{h[k] (for all k) have nonnegative integer entries. The following theorem 
characterizes separate redundant Petri net embeddings and leads to systematic 
ways of constructing them: 

Theorem 1: Consider the setting described above. Petri net Ti. is a separate 
redundant embedding for Petri net S (with state evolution as in eq. Q) if and 
only if G is a matrix with nonnegative integer entries and 

X+ = GB+ - D , X- = GB - D , 



where D is any d x n matrix with nonnegative integer entries such that D < 
min(GB^,GB^) (operations < and min are taken element-wise). □ 



Proof: (^) The state qh[0] = Gq[0] 




q[0] needs to have nonnegative 



integer entries for all valid q[0] (a valid initial state for S is any vector q[0] with 
nonnegative integer entries). Clearly, a necessary (and sufficient) condition is 
that G is a matrix with nonnegative integer entries. 

If we combine the state evolution of the redundant and original Petri nets 
(in eqs. ^ and respectively) we see that 



Gq[fc-b 1] = q/j[fc-b 1] = qh[k] + 



B+ 

X+ 



'In 

G 



q[fc-b 1] = 



In 

G 



q[fc] 



x[fc] - 


1 1 

CQ X 
1 1 


x[fc 


B+ 






B 


X+ 


x[k\ - 


X' 



c[k] . 



More generally the state of a separate redundant embedding is given by qh[k] = 
for an appropriate function A- 
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Since any transition tj can be enabled (e.g. by choosing q[0] > , we 

conclude that X+ — X” = C(B+ — B^). Without loss of generality we can set 
X+ = CB+-D and X" = CB -D for some matrix D with integer entries. In 
order for Petri net H. (with initial marking (\h [0] = [ [0] (Cq[0])^ ] where q[0] 

is any initial state for S) to admit all firing transition sequences that are allowed 
in S under initial state q[0], we need D to have nonnegative integer entries. The 
proof follows easily by contradiction: suppose D has a negative entry in its jth 
column; choose q[0] = B~(:,j); transition tj can be fired in S but cannot be 
fired in Ti because 

Cq[0] = CB-(:, j) < CB-(:, j) - D(:, j) = X’(:, j) . 

The requirement that D < min(CB^, CB~) follows from X+ and X“ being 
matrices with nonnegative integer entries. 

(<t=) The other direction follows easily. The only challenge is to show that if 
D is chosen to have nonnegative entries, then all transitions that are enabled in 
S at time epoch k under state q[fc] are also enabled in H under state q/i[fc] = 
[q^[fc] (Cq[fc])^]^: if D has nonnegative entries then 

q[fc]>B-(:,j)^Gq[fc]>GB-(:,j) 

^q,[fc]>GB-(:,j) 

^q,[fc]>GB-(:,j) 

(Remember that matrices G, B+, B”, and D have nonnegative integer entries.) 
We conclude that if transition tj is enabled in S (q[fc] > B~(:, j)), then it is also 
enabled in H (q/t[fc] > □ 

3.2 Failure Detection and Identification 

Given a Petri net S with state evolution equation as in eq. we can use 
a separate redundant embedding H as described in Theorem 1 to construct 
monitors for both transition and place failures. The invariant conditions imposed 
by our separate embeddings can be checked by verifying that [— G I^] q?,[fc] is 
equal to 0. The d additional places in Ti. function as checkpoint places and cm 
either be distributed in the Petri net system or be part of a centralized monito^ 
In what follows, we show that by appropriately choosing G and D (subject to the 
constraints described in Theorem 1) we can detect and locate transition and/or 
place failures. 

Transition Failures: Suppose that at time epoch k—1 transition tj fires (that 
is, x[fc — 1] = Xj). If, due to a failure, the postconditions of transition tj are not 

® Some of the constraints that we developed in the previous section can be dropped 
if we adopt the view in | and treat additional places only as test places, i.e. allow 
them to have a negative number of tokens. In such case, C and D are not restricted 
to have nonnegative entries. 



0 

D(bj) 
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executed, the erroneous state at time epoch k will be 

q/[fc] = qh[k] - = q?,[fc] - S+Xj 

(where is the state that would have been reached under fault-free condi- 

tions). The error syndrome will be 



Pq/[fc] = P(q,[fc] 



B+ 

CB+ - D 






= Dxj = D(:, j) . 

If the preconditions of transition tj are not executed, the erroneous state will be 

q/[fc] = qh[k] + = qh[k] + B~yij 

and the error syndrome will be 



Pqf[k] = -Dxj = -D(:, j) . 

If we choose all columns of D to be distinct, we will be able to detect and 
identify all single transition failures. Depending on the sign, we can also decide 
whether preconditions or postconditions were not executed. In fact, given enough 
redundancy, we may be able to identify multiple transition failures. 

Example 2: Consider the Petri net in Figure^ with the indicated B+ and B^ 
matrices. We will use one additional place {d = 1) in order to concurrently detect 
and identify transition failures. We choose C = [22l],D = [32l] and obtain 
the separate embedding of Figurefl(the additional connections are shown with 
dotted lines). 



t2 




Fig. 3. A separate embedding to identify single transition failures in the Petri 
net of Figure H 



Matrices B~^ and B are given by 



B+ 




'0 1 r 
1 0 0 


,B- = 


B 




'2 0 o' 
0 1 0 


CB+ - D 




1 0 0 
0 0 1 


CB- -D 




0 0 1 
1 0 0 
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The parity check, performed concurrently by the monitoring mechanism, is 
given by 

[-CIi]q„[fc]= [-2 -2-ll]q„[fc]. 

If the parity check is —3 (respectively —2, —1), then transition ti (respectively t 2 , 
ts) has failed to perform its preconditions. If the parity check is 3 (respectively 2, 
1), then transition ti (respectively ^ 2 , bas failed to perform its postconditions. 

The additional place p 4 is part of the monitoring mechanism: it receives 
information about the activity in the original Petri net (which transitions fire 
or complete, etc.) and appropriately updates the number of tokens in place p^. 
The linear checker (not shown in Figure H concurrently detects and identifies 
failures by evaluating a checksum on the state of the overall system. Note that the 
monitoring mechanism in FigureHdoes not use any information about transition 
t 2 - More generally, explicit connections from each transition to the monitoring 
mechanism may not be required; the scheme can also be adapted to handle 
cases where certain connections are not permitted (i.e. where information about 
a certain transition or place is not available) . □ 

Place Failures: If, due to a failure, the number of tokens in place pi is increased 
by c, the faulty state is given by 



q/[fc] = q?i[fc] + 6p(i) 

where ep(^) is an 77 -dimensional vector with a unique non-zero entry at its ith. 
position, i.e. e.p{i) = c x [O • • • 1 • • • O] In this case, the parity check will be 



Pq/[fc] = P(q,j[fc] -l-ep(i)) 
= c X P(:, i) . 



If we choose C so that columns of P = [— C Id] are not rational multiples of 
each other, then we can detect and identify single place failure^ 

Example 3: In order to concurrently detect and identify single place failures in 
the Petri net of Figure B we will use two additional places {d = 2) and choose 
2 

C = 2 11 ' columns of the parity check matrix P = [ — C I 2 ] are 

not multiples of each other. Our choice for D is not critical in the identification of 



place failures and we choos^D = 



2 1 1 
2 1 1 



. We then obtain a separate embedding 



° We need to make sure that for all pairs of columns of P there do not exist non-zero 
integers a, (3 such that a x P(:,i) = P x P(:, j) {i 7 ^ j). 

^ This choice actually minimizes the number of additional connections (for the given 
choice of C). See the discussion regarding how to choose matrices C and D at the 
end of this section. 
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with matrices and B given by 



B+ = 



B+ 

CB+ - D 



0 1 1 
1 0 0 
10 0 
1 0 0 
oil 



B~ = 



B 

CB -D 



2 0 0 
0 1 0 
0 0 1 
0 1 0 
2 0 0 



and the parity check performed through 

[-Cl2]q^[fc] = 



-1 - 2-110 
-2 - 1-10 1 



(ih[k] . 



If the result is a multiple of 



(respectively 



Pi (respectively p2, Ps, Pi, _Ps) has failed. 



2 




1 




1 




0 


1 


7 


1 


7 


i 

o 
1 


7 


1 



), then place 
□ 



If C and D are chosen properly, we can actually perform detection and 
identification of both place and transition failures. Note that matrices C and D 
can be chosen almost independently (subject to the constraints analyzed above). 
The following example illustrates how this can be done. 

Example 4: Concurrent identification of a single transition failure or a single 
place failure (but not both) in the Petri net of FigureHcan be achieved with 



two additional places {d = 2). Let C = 
choices, matrices B~^ and B~ are given by 



3 2 3 
2 3 3 



and D = 



5 2 3 
4 1 1 



With these 



B+ = 



B+ 

CB+ - D 



'0 1 r 








'2 0 O' 


1 0 0 




B 

CB- -D 




0 1 0 


1 0 0 
0 1 0 


,B- = 


= 


0 0 1 
1 0 0 


2 1 1 








0 2 2 



The parity check is performed through 

[-Cl2]q,,[fc] = 



-3 -2-3 10 
-2 -3-3 0 1 



qh[fc] . 



If the parity check is a multiple of 



(respectively 



2 




3 




1 




0 


I 

CO 


7 


CO - 


7 


o 


7 


1 



), 



then there is a failure in place pi (respectively p2, Ps, P4, _Ps). If the parity 



check is 



(respectively 



), then transition ti (respectively t 2 , fa) has 



failed to perform its postconditions. If the parity check is 



-5 

-4 



(respectively 



■-2' 




-3' 


-1 


7 


-1 


preconditions 



), then transition ti (respectively t 2 , fa) has failed to perform its 
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Fig. 4. A separate embedding to identify single transition or place failures in 
the Petri net of Figure H 



The resulting Petri net embedding is shown in Figure5(the additional con- 
nections are shown with dotted lines; the linear checker is not shown in the 
figure) . □ 

The graphical interpretation of the monitoring scheme in the above examples 
is straightforward: we add d places and connect them to the transitions of the 
original Petri net. The added places could be part of a centralized controller or 
could be distributed in the system. The tokens associated with the additional 
connections and places can be regarded as simple acknowledgment messages. 
The weights of the additional connections are given by the matrices CB+ — D 
and CB” — D. The choice of matrix C specifies detection and identification for 
place failures, whereas the choice of D determines detection and identification 
for transition failures. Coding techniques or simple linear algebra can be used to 
guide the choice of C or D . To detect single place failures we need to ensure that 
the columns of matrix C are not multiples of each other (this is what guided our 
choice of C in Examples 3 and 4). Similarly, matrices D in Examples 2 and 4 
were chosen so that their columns are not the same (they are allowed to be 
multiples of each other) . 

The above discussion clearly demonstrates that, for given fault detection and 
identification requirements, there are many choices for matrices C and D. One 
interesting future direction is to develop criteria for choosing among these differ- 
ent possibilities. Depending on the underlying system, plausible objectives could 
be to minimize the size of the monitor (number of additional places) , the number 
of additional connections (from the original system to the additional places), or 
the number of tokens involved. Once these criteria are well-understood, it would 
be interesting to develop algorithmic techniques and automatic tools that allow 
us to systematically choose C and D so as to satisfy any or all of these criteria. 

The additional places in our monitoring schemes (e.g. places and in 
Examples 2 and 4) may be parts of a centralized monitoring mechanism, so it may 
be reasonable in certain cases to assume that they are fault-free. Nevertheless, 
our scheme is capable of handling failures in any of the places in the Petri net 
embedding, including the added ones. The check mechanism (not shown in any 
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of the figures in Examples 2, 3 and 4) detects and identifies place failures by 
evaluating a checksum on the state of the overall Petri net embedding. Our 
implicit assumption has been that no failure take place during this checksum 
calculation. It would be interesting to investigate ways to relax this assumption. 

Note that if we restrict ourselves to pure Petri nets, then we do not have a 
choice for D. More specifically, we need to ensure that the resulting Petri net is 
pure which means that D = min(CB+, CB~). In such cases we may loose the 
ability to detect transition failures (we may attempt to treat them as multiple 
place failures). In this restricted case we recover the results in Q] given a pure 
Petri net S as in eq. 0 , we can construct a pure Petri net embedding with state 
evolution 



qh[fc+ 1] = q?,[fc] + 



B 

CB 



x[fc] 



for a matrix C with nonnegative integer entries. 

The distance measure adopted in [J] suggests that the redundant Petri net 
should guard against place failures (corruption of the number of tokens in indi- 
vidual places). The examples in Q] include a discussion of codes in finite fields 
and Petri nets in which addition is performed modulo some integer. (For example, 
modulo-2 addition matches well with Petri net systems in which places are imple- 
mented using binary memory elements. In this case, by choosing P = [— C 1^] 
to be the (systematic) parity check matrix of a Hamming code Q, we can 
achieve single error detection and identification.) 



4 Non-separate Redundant Embeddings 

In this section we characterize more general redundant Petri net embeddings. 
This characterization can form the basis for systematically constructing more 
general monitoring schemes, but due to the lack of space we do not present the 
details or any examples; see Q for more. Let 5 be a Petri net with n places, 
m transitions, and state evolution equation as given in eqs. B and let q[0] 
be any initial state q[0] > 0 and X = {x[0],x[l], . . .} be any admissible (legal) 
firing sequence under this initial state. 

Definition 2: Let be a Petri net with n + d places, m + t transitions (where 
d, t are positive integers), initial state q?i[0], and state evolution equation 

qh[k+ 1] = qh[k] + S+z[fc] - B^z[k] 

= qh[k] + {B+ -B~)z[k] . (4) 

Petri net is a redundant embedding for S if it eoncurrently simulates S in the 
following sense: there exist 

1. a one-to-one input encoding mapping ^ : x[fc] i — > z[fc], 

2. a decoding mapping i : q/t[fc] i — > q[fc], and 

3. an encoding mapping g : q[fc] i — > qh[fc]> 
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such that, for any initial state q[0] in S and any admissible firing sequence X 
(for q[0]) and z[fc] = ^(x[fc]): q[fc] = ^(q?i[fc]) and qh[k] = g(q[fc]) for all time 
epochs fc > 0. □ 

As defined above, a redundant embedding is a Petri net that, after proper 
initialization (i.e. q?i[0] = g(q[0])), has the ability to admit any firing sequence 
X admissible by the original Petri net S (under any initial state q[0]). The state 
of the original Petri net at any time epoch k is specified by the state of the 
redundant embedding (through mapping i) and vice-versa (through mapping 
g). Note that, regardless of the initial state q[0] and the firing sequence X, the 
state q^ [k] of the redundant embedding always lies in a subset of the redundant 
state space (namely, the image of q[-] under the mapping g). The t additional 
transitions can be used for failure recovery. 

For the rest of this section we focus on a special class of non-separate em- 
beddings, where encoding and decoding can be performed through appropriate 
encoding and decoding matrices. Specifically, we consider the case where there 
exist an n X (n + d) decoding matrix L and an (n + d) x n encoding matrix G 
such that, under any admissible sequence of inputs X = {x[0], x[l], . . .} and any 
initial state q[0]: q[fc] = Lq/i[fc] and q/i[fc] = Gq[fc] for all time epochs fc > 0. 
Furthermore, we will assume that t = 0 and (without loss of generality) treat 
^ as the identity mapping (we can always permute the columns of B+ and 
in eq. O)- The state evolution equation of a non-separate redundant Petri net 
embedding is then given by 

q/i[fc -I- 1] = q[fc] -I- S"'‘x[fc] — S~x[fc] (5) 

= qh[k] + Bxi[k] , (6) 



where B = {B+ - B~). 

The additional structure that is enforced through a redundant Petri net em- 
bedding of the form described above can be used for error detection and identi- 
fication. In order to systematically construct and use redundant embeddings, we 
need to provide a common starting point. The following theorem characterizes 
Petri net embeddings in terms of a similarity transformation and a standard 
redundant Petri net: 

Theorem 2: A Petri net H with n + d places, m transitions and state evolution 
as in eqs. Q and is a redundant embedding for S (in eqs. iQ and only 
if it is similar (in the usual sense of change of basis in the state space, see 
to a standard redundant embedding T-ia whose state evolution equation is given 

by 



qa[k+l] = qa[k] + 



B+ -B 
0 



= qa[fc] 



B 

0 



i:[fc] . 



( 7 ) 



Here, B+, B andB = B+ — B are the matrices in eqs. and Q . Associated 
with the standard redundant embedding is the standard decoding matrix = 



[l„ O] and the standard encoding matrix Go- 




(where I„ denotes the 
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n X n identity matrix). Note that the standard Petri net embedding is a pure 
Petri net. □ 



Proof: Clearly, LGq[-] = Lq^[-] = q[-]. Since all initial states are possible in 
S (q[0] can be any vector with non-negative integer entries), we conclude that 
LG = I„. In particular, L is full-row rank, G is full-column rank and there exists 



an {n + d) x (n -I- d) matrix T such that LT = [l„ O] and T ^G = 




By employing the similarity transformation q), [fc] = Tq?, [k ] , we obtain a similar 
system H' whose state evolution is given by 



q',[fc+ 1] = (r-ll(„+,)T)q),[fc] + (T-le)x[fc] 

= q'^[k] + B'xi[k] , 

and has decoding and encoding matrices L' = LT = [in O] and G' = T“^G = 
. Note that so far, we have not shown that system Ti! is necessarily a Petri 
net because the entries of are not guaranteed to be integers. 



For all time epochs k, q),[fc] = G'q[fc] = 



q[fc] 

0 



; by combining the state 



evolution equations of the original Petri net and the redundant dynamic system 
we see that 



qk[fc + i] = qk[fc] + ^'x[fc] 



q[fc] -I- Bx[fc] 

0 



q[fc] 

0 



B[ 



z[k] . 



The above equations hold for all initial conditions q[0]; since all transitions 
are enabled under some initial condition q[0], we see that B[ = B and B '2 = 0. 

If we regard the dynamic system Ti! as a pure Petri net, we see that any 
transition enabled in S is also enabled in Tib Therefore, Ti! is a redundant Petri 
net embedding. In fact, it is the standard Petri net embedding TC with the 
decoding and encoding matrices presented in the theorem. □ 

The theorem provides a characterization of the class of Petri net embeddings 
for a given Petri net S and is a convenient starting point for systematically con- 
structing redundant embeddings. For the standard Petri net Tia, the redundant 
invariant conditions that are imposed by the embedding are easily identified: 
since qcr[’] = [q['] O] , these conditions are summarized by the parity check 
Po-qcr[’], where = [O Id] is the parity check matrix. Note that the separate 
embeddings that were studied in Section Jean also be put into the standard 
form of Theorem 2. 

We now produce the converse to Theorem 2 which leads to the systematic 
construction of Petri net embeddings. 

Theorem 3: Let 5 be a Petri net with n places, m transitions and state evolution 
as given in eqs. J and H. A Petri net Ti with n + d places, m transitions and 
state evolution as in eqs. ij and J is a redundant embedding of S if: 

— It is similar to a standard embedding Tia (with state evolution equation as 

in J) through an {n-\-d) x {n-\-d) invertible matrix T, such that the first n 
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columns of T ^ have non-negative integer entries. (The encoding, decoding 
and parity check matrices of the Petri net embedding Ti. are then given by 



L= [i„o]r, G = r-i 



0 



, and P = [o Id] T.) 



— Matrices and B~ are given by = GB+ — V and B~ = GB“ — V, 
where I? is an (n + c?) x m matrix with non-negative integer entries. Note 
that T> has to be chosen so that the entries of B~^ and B~ are non-negative, 
i.e. < min(GB+,GB^). □ 



Proof: We know from Theorem 2 that any Petri net embedding Ti, as in eqs. Q 
and B can be obtained through an appropriate similarity transformation [fc] = 
Tc\a\k] of the standard embedding T-l„ in eq. Q. In the process of constructing 
Ti from T-La, we need to ensure that is a valid embedding for S, i.e. we need 
to meet the following requirements: 



1. Given any initial condition q[0] (q 
state vector q/i[0] = Gq[0] = 



0] has nonnegative integer entries), the 



q[0] should have non-negative inte- 



ger entries. 

2. Matrices B~^ and B~ should have non-negative integer entries. 

3. The set of transitions enabled in S at any time epoch k should be a subset 
of the set of transitions enabled in Ti, (so that under any initial condition 
q[0], a firing sequence X that is admissible in S is also admissible in 7f). 



The first condition has to be satisfied for any vector q[0] with non-negative 
integer entries. It is therefore necessary and sufficient that the first n columns 
of have non-negative integer entries. This also ensures that the matrix 
difference 



B+ -B~ = 



B+ -B 
0 



= r 



-1 



(B+-B ) =G(B+-B ) 



consists of integer entries. Without loss of generality we let B~^ = GB+ — T>, 
B~ = GB~ — T), where the entries of V are integers chosen so that B~^ and B~ 
have non-negative entries (i.e. it is necessary that T> < GB+ and V < GB^, 
where operation < is taken element-wise). 

We now check the last condition: transition tj is enabled in the original Petri 
net S at time epoch k if and only if q[fc] > B~(:, _)). If I? has non-negative entries 
then 



q[fc] > B^Xj => Gq[fc] > GB^Xj 
^ q.h[k] > GB^Xj 
^ q.h[k] > (GB^ - V)xj 
^ <ih[k] > B~yij , 

where B^(:, j) = B^Xj (recall that q[fc], B~, G and T> have non-negative integer 
entries). Therefore, if transition tj is enabled in the original Petri net S, it is 
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also enabled in Ji (transition is enabled in H. if and only if <\h[k] > 

It is not hard to see that it is also necessary for T> to have non-negative integer 
entries (otherwise we can find a counterexample by appropriately choosing the 
initial condition q[0]). □ 

Note that no other restrictions are placed on a Petri net embedding. For 
example, the entries of the decoding matrix L and the parity check matrix P 
can be negative and/or rational. 

5 Applications in Control 

A discrete event system (DES) is usually monitored through a separate con- 
trol mechanism that takes appropriate actions based on observations about the 
state and activity in the system. Control strategies (such as enabling or disabling 
transitions and external inputs) are often based on the Petri net that models the 
DES of interest, In this section we use the techniques of Section^to con- 

struct Petri net embeddings that allow the control mechanism to concurrently 
detect and locate multiple actiwj transitions. One of the biggest advantages of 
our approach is that it can be combined with failure detection and identifica- 
tion and that it is able to perform monitoring despite incomplete or erroneous 
information. 

Example 5: We revisit the Petri net of Figure H which models a distributed 
processing network. If we add one extra place {d = 1) and use matrices C = 
[ 1 1 3 2 3 1 ] and D = [2 5 3 1], we obtain a separate Petri net embedding 
with one additional place that acts as a place-holder for special tokens {ac- 
knowledgment tokens): it receives 2 (1) such tokens whenever transition ti {t^) 
is completed (i.e., we assume that our monitor mechanism observes the comple- 
tion of transitions ti and t^); it provides 1 token in order to enable transition t 2 
(i.e., our monitoring mechanism observes the initiation of transition t 2 ). Explicit 
acknowledgments about the start and completion of all transition are avoided. 
Furthermore, by adding enough extra places, we can make the above monitoring 
scheme robust to incomplete or erroneous information (as in the case when a 
certain place is not required to or fails to submit the correct number of tokens) . 

At any given time epoch fc, the controller of the redundant Petri net can 
identify if a transition is under execution by observing the state q?i[fc] of the 
system and by performing the parity check 

[-C Ii] qh[k] = [-1 -1 -3 -2 -3 -1 1] q^fc] . 

(This of course assumes that each place can report the number of tokens stored 
in it.) If the result is 2 (5, 3, 1) then we know that transition ti (^ 2 , ^ 3 , ^ 4 ) is 
under execution. Note that in order to identify whether multiple transitions are 
under execution, we need to use more extra places {d > 1). □ 

® We define an active transition as a transition that has used all tokens at its input 
places but has not yet returned any tokens at its output places (i.e. a transition that 
has not completed its postconditions). 
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One can also use separate embeddings to detect and identify illegal transitions 
in Petri net models. Suppose, for example, that the system modeled by the 
Petri net is “observed” through two different mechanisms: (i) place sensors that 
provide information about the number of tokens in a place, and (ii) transition 
sensors that indicate when a particular transition fires. One can construct a 
separate embedding that detects discrepancies in the information provided by 
these two sets of sensors in order to pinpoint illegal behavior. 

Let the state evolution equation of the DES of interest be 



q[fc + 1] = q[fc] + [B+|B+ ] x[fc] - [B |B„ ] x[fc] , 



where the columns of Bj and B“ model the postconditions and preconditions 
of illegal transitions. We will then construct a separate embedding for the legal 
part of the network. The overall system will then have a state evolution 



cih{k + 1] 



q>ti [fc + 1] 

q.h2[k + 1 ] 



qh [fc] + 



B+ 




x[fc] - 


B 


B- 


CB+ -D 


0 


CB- -D 


0 



x[fc] 



Our goal will be to choose C and D appropriately so that we can detect ille- 
gal behavior. Information about the state on the upper part of the embedding 
(vector q/ii[fc-|- 1]) will be provided to the controller by the place sensors. The 
effect of illegal transitions will be captured in this part of the embedding by 
the changes in the number of tokens in the affected places. The additional 
places (with state vector qh 2 [fc]) are internal to the controller and act only 
as test placej Once the number of tokens in these test places is initialized 
appropriately (i.e. q?i2[0] = Cq^i[0]), the controller removes or adds tokens 
to these places based on which transitions take place. Therefore, the informa- 
tion about the bottom part of the system (with state evolution q ^2 [^ + 1] = 
<ih 2 [k] + [CB^ — D|o] x[fc] — [CB~ — D|o] x[fc]) is (indirectly) provided by 
the transition sensors. 

When an illegal transition fires during time epoch fc, the illegal state q/[fc] 
of the redundant embedding is given by 



q/[fc] = qh[k] 



[B+l 




[B^l 


U 

0 


x„[fc] - 


U 

0 






where x„[fc] denotes a vector with all zero entries, except an entry that is 1 and 
is associated with the illegal transition that fired. If we perform the parity check 
Pq/[fc] we get: 



Pq/[fc] = [-C Id] q/[fc] = . . . = -CB„x„[fc] . 

Therefore, we can identify which illegal transition has fired if all columns of CB„ 
are unique. 

® Test places cannot inhibit transitions and can have a negative number of tokens. A 
connection from a test place pi to transition tj indicates that the number of tokens 
in Pi will decrease when tj fires. 
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Fig. 5. The cat-and-mouse maze. 



Exampl e 6 : Consider the Petri net version of the popular “cat-and-mo use” 
problem Q, originally introduced in the setting of supervisory control in 
We are given the maze of five rooms shown in Figure ^ a cat and a mouse 
circulate in this maze, with the cat moving from room to room through unidi- 
rectional “doors” {ci, C 2 , cs} and the mouse through unidirectional “doors” 
{mi, m 2 , mg}. The Petri net model is based on two separate subnets, one 
dealing with the cat’s position and movements and the other dealing with the 
mouse’s position and movements. Each subnet has five places, corresponding to 
the five rooms in the maze. A token in a certain place indicates that the mouse 
(or the cat) is in the corresponding room. Transitions model the movement of the 
two animals between different rooms (as allowed by the structure of the maze in 
Figure^- In particular, the subnet that deals with the mouse has a state vector 
with five variables, exactly one of which has the value 1 (the rest are set to 0). 
The state evolution for this subnet is given by eqs. B and Q with 



"0 0 1 0 0 r 




'1 0 0 1 0 o' 


010000 




001000 


100000 


,B- = 


010000 


000010 




000001 


000100 




000010 



For example, q[fc] = [O 1 0 0 O]^ means that at time epoch k the mouse is in 
room 2. Transition tg takes place when the mouse moves from room 2 to room 1 
through door mg; this causes the new state to be q[fc -|-1]=[10000] . 

We assume that the controller of the maze in Figure ^obtains information 
about the state of the system through a set of detectors. More specifically, each 
room is equipped with a “mouse sensor” that indicates whether the mouse is 
in that room. In addition, door sensors get activated whenever the mouse goes 
through the corresponding door. Suppose that due to a bad choice of materials, 
the maze of Figure | is built in a way that allows the mouse to dig a tunnel 
connecting rooms 1 and 5 and/or a tunnel connecting rooms 1 and 4. The exis- 
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tence of such a tunnel leads to illegal (i.e. non-door) transitions in the network 



described by B„ 



1-1 1-1 
0 0 0 0 

0 0 0 0 

0 0-11 
-110 0 



In order to detect the existence of such tunnels we can use a Petri net embed- 
ding with one additional place (c? = 1), C = [1112 3] and D = [llll2l]. 
The resulting redundant matrices and B~ are given by 









001001 


10 10 




100100 


0 10 1 








010000 


0 0 0 0 




001000 


0 0 0 0 


B+ 


B+ 




100000 


0 0 0 0 




010000 


0 0 0 0 


CB+ -D 


0 




000010 


0 0 0 1 


000001 


0 0 10 








000100 


0 10 0 




000010 


10 0 0 








000200 


0 0 0 0 




000011 


0 0 0 0 




The upper part of the network is observed through the place sensors. The 
number of tokens in the additional place is updated based on information from 
the transition sensors (it receives 2 tokens when transition fires; it looses 1 
token when or fires). The parity check is given by 

[-1-1 -1-3 -2-ll]qh[k] 

and is 0 if no illegal activity has taken place. It is 2 (—2, 1, —1) if illegal transition 
B„(:,l) (B„(:,2), B„(:,3), B„(:,4)) has taken place. □ 



6 Conclusion 

In this paper we have investigated ways of systematically incorporating redun- 
dancy into a given Petri net in order to achieve failure monitoring or facilitate the 
control of the underlying DES. We defined and characterized particular classes 
of Petri net embeddings, which we then used for systematically constructing 
fault detection and identification schemes under different error models. Our ap- 
proach extends the results on fault-tolerant Petri nets in QQ by introducing 
non-separate embeddings, by allowing the study of non-pure Petri nets, and by 
extending the methods to fault-tolerant monitoring schemes for DES. The re- 
sulting monitors use linear checks to detect and identify failures; furthermore, 
they are robust to erroneous or incomplete information and do not need to be 
re-constructed when the initial state of the Petri net changes. Our approach is 
very general and does not make any assumption about the underlying DES. 

One interesting extension of our work would be towards the development of 
robust control schemes for DES’s that are observed at a central or distributed 
controller through a network of remote and unreliable sensors. In such cases, 
we can use Petri net embeddings to design redundant sensor networks and to 
devise control strategies that achieve the desired objective despite the presence 
of uncertainty (in the sensors themselves or in the information received by the 
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controller). A related research direction would be to characterize different cri- 
teria for choosing our redundant embeddings (e.g. matrices C and D) in order 
to eventually develop tools that automatically provide fault detection and iden- 
tification to DBS’s of interest (e.g. network protocols). Another possibility for 
future research is to develop more general redundant embeddings and to ex- 
plicitly study examples where a subset of transitions is uncontrollable and/or 
unobservable (e.g. when links to or from the transition are not possible, ^^). 
Also, in order to achieve error correction, we need to introduce error recovery 
transitions which can serve as correction mechanisms when particular failures are 
detected. We are also considering ways to extend our approach to hierarchical 
or distributed monitoring schemes for large Petri nets by enforcing appropriate 
constraints on the corresponding embeddings. 
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Abstract. Embedded system design requires the use of efficient schedul- 
ing policies to execute on shared resources, e.g. the processor, algorithms 
that consist of a set of concurrent tasks with complex mutual dependen- 
cies. Scheduling techniques are called static when the schedule is com- 
puted at compile time, dynamic when some or all decisions are made 
at run-time. The choice of the scheduling policy mainly depends on the 
specification of the system to be designed. For specifications containing 
only data computation, it is possible to use a fully static scheduling tech- 
nique, while for specifications containing data-dependent control struc- 
tures, like the if-then-else or while-do constructs, the dynamic behaviour 
of the system cannot be completely predicted at compile time and some 
scheduling decisions are to be made at run-time. For such applications 
we propose a Quasi-static scheduling (QSS) algorithm that generates a 
schedule in which run-time decisions are made only for data-dependent 
control structures. We use Equal Conflict (EC) nets as underlying model, 
and define quasi-static schedulability for EC nets. We solve QSS by re- 
ducing it to a decomposition of the net into conflict-free components. 
The proposed algorithm is complete, in that it can solve QSS for any EC 
net that is quasi-statically schedulable. 



1 Introduction 

Embedded systems are informally defined as a collection of programmable units, 
e.g. microcontrollers and DSPs, surrounded by ASICs and other standard compo- 
nents, that interact with the environment through sensors and actuators. Soft- 
ware development and its integration with the hardware is one of the main 
sources of cost in embedded system design. Modern design flows allow the de- 
signer to start with a functional specification of the overall system and map it 
onto a heterogeneous architecture including processors, memories and ASICs. 
However, an implementation on a shared resource, such as a processor, requires 
one to solve a scheduling problem, in order to sequence the execution of the con- 
current modules while simultaneously (1) satisfying real-time constraints and 
(2) using the processor and the memory resources as efficiently as possible. 

Embedded systems specifications usually contain both data computations 
and control structures. Control structures can be of two types: (1) data-dependent 
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controls, like if-then-else or while-do loops, determine the next operation to be 
executed by testing the value of some data, and (2) real-time controls, like pre- 
emption and suspension, trigger actions after the occurrence of external or inter- 
nal events. For specifications containing only data computations (assignments 
and fixed iteration loops) the schedule can be completely computed at compile 
time, and therefore is called static. A static schedule, usually implemented as a 
single task, is predictable and can be executed with almost no run-time over- 
head. However, when specifications include also some control it is not possible 
to compute the entire schedule at compile time. If the specification contains 
only data-dependent type of control in addition to data computation, the order 
in which operations are executed depends on the value of some data, which is 
known at run-time. In this case, quasi-static scheduling | techniques compute 
most of the schedule at compile time, leaving at run-time only the solution of 
data-dependent choices. Furthermore, if the specification allows communication 
via queues of unbounded size (e.g., in SDL or Dataflow networks), (quasi)static 
scheduling can bound the maximum size of those queues and ensure correct ex- 
ecution on an embedded system with a finite amount of physical memory. For 
specifications containing also real-time controls, the run-time behaviour heavily 
depends on the occurrence of external events. In this case, classical Real-Time 
scheduling techniques can be used to decide at run-time which tasks should be 
executed in reaction to such events. This type of schedule is called dynamic. 

In this paper we present a new approach to schedule specifications including 
not only data-processing computations but also data-dependent control struc- 
tures. We propose a Quasi-static scheduling (QSS) algorithm that takes as input 
a Petri Net (PN) model of the specification and produces as output a software 
implementation consisting of a set of concurrent tasks. The scheduling technique 
is quasi-static in the sense that, although any control decision is still made at run- 
time based on the value of the data, fragments of code that need to be executed 
as the consequence of the resolution are scheduled at compile time. Our tech- 
nique addresses the problem of partitioning the functionality of the specification 
into tasks, i.e. functional blocks having the same execution rate. In particular, 
the algorithm we propose finds automatically a partition with minimum number 
of tasks, which is a problem usually solved by hand by experienced designers, 
and therefore allows to significantly reduce the run-time overhead and improve 
performances in single processor architectures. Here we address the problem of 
identifying tasks and deriving the code for each task, while issues like real-time 
dynamic scheduling of tasks are out of the scope of this paper. 

We have chosen PNs as underlying formal model, because they allow to 
express concurrency, non-deterministic choice, synchronization and causality and 
because most properties are decidable for PNs. We represent data computations 
using transitions and channels between computation units using places. Data- 



^ Static and quasi-static scheduling generates sequential code and statically allocates 
communication buffers. Hence it is often called “software synthesis” in the literature, 
as opposed to the term “scheduling”, that is often reserved to dynamic real-time 
scheduling. 
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dependent control is modeled by places, called choices, with multiple output 
transitions, one for each possible resolution of the control. Data are modeled as 
tokens passed by transitions through places. In particular, we use a sub-class of 
PNs called Equal Conflict Nets (EC nets), because they exhibit clear distinction 
between the notions of concurrency and choice. Hence, they are appropriate to 
model computations in which control decisions depend on the value rather than 
on the arrival time of a token | 

In this paper we introduce the notion of schedulability for EC nets. Infor- 
mally, an EC net is quasi-statically schedulable if for every resolution of the con- 
trol at the choice places, there exists a finite cyclic firing sequence that returns 
the tokens of the net to their initial places. The existence of cyclic sequences is 
required because it ensures that the number of data tokens that accumulate in 
any place is bounded even for infinite execution. We present an algorithm that 
first checks schedulability of the net to verify the correctness of the specifica- 
tion. If the net is not schedulable, the designer is notified that there exists no 
implementation that can be executed forever with bounded memory. If the net is 
schedulable, the algorithm computes a quasi-static schedule by decomposing the 
net into conflict free components and then applies static scheduling techniques 
to each component. 

Previous work has used the decomposition of Free-Choice (EC) PNs into con- 
flict free components. The fundamental theorem of Hack Q on live and safe 
strongly connected FCPNs is based on the decomposition of the net into as many 
Marked Graphs (MGs) reductions as the number of the possible allocations of 
the non-deterministic choices. In ^ Best proposes an iterative algorithm to 
decompose a strongly connected ordinary PN into a set of strongly connected 
MGs. More recently, Teruel in Q extends to weighted nets known results for 
ordinary nets These works have their main application in checking whether 
a given strongly connected net is bounded. However, in the domain of embedded 
reactive systems applications usually have lots of interactions with the environ- 
ment, that are naturally modeled as source and sink transitions. As a result, nets 
modeling embedded systems are not strongly connected. Moreover, boundedness 
is a too restrictive property for our objective, that is finding one implementation 
with guaranteed bounded memory execution. In fact, schedulability implies the 
existence of at least one valid schedule that ensures that there is no unbounded 
accumulation of tokens in any place, while boundedness implies that for all the 
reachable markings, the number of tokens in any place does not exceed a certain 
number k. Therefore, we modify Hack’s MG decomposition algorithm and apply 
it to the class of EG nets that have source and sink transitions. 

Finally, our technique derives a software implementation of the schedule by 
traversing it and replacing transitions with the corresponding code (inline cod- 
ing). A different approach to software synthesis using PNs has been recently 
proposed The algorithm in | generates a software program from a con- 
current process specification through an intermediate PN representation. This 

^ EC nets model data-dependent control by abstracting the if-then-else control deci- 
sions as non-deterministic choices. 
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approach is based on the strong assumption that the PN is safe, i.e. buffers can 
store at most one data unit. This on one side guarantees termination of the 
algorithm, on the other side it makes impossible to handle multirate specifica- 
tions, like FFT computations and downsampling. Moreover, safeness excludes 
the possibility to use PNs where source and sink transitions model the inter- 
action with the environment: this makes it impossible to specify inputs with 
independent ratej This method, assuming a priori that the net is schedulable, 
does not address also the important problem of verifying the schedulability of 
the specification. 

The paper is organized as follows. In Section 2 we recall some definitions of the 
PN model and in Section 3 we shortly describe known techniques for scheduling 
of Weighted T-Systems. Section 4 defines the Quasi-Static Scheduling problem 
for EC nets and presents an algorithm to find a solution, if there exists one. 
Then, we describe how to generate a C program in Section 5. Section 6 presents 
an ATM Server application and experimental results. 



2 Petri Nets: Background 

A Petri Net is a triple {P,T,F), where P is a non-empty finite set of places, 
T a non-empty finite set of transitions and F : {T x P) U {P x T) — > IM the 
weighted flow relation between transitions and places. A Petri Net graph 
is a representation of a Petri Net as a bipartite weighted directed graph. If 
F(x, y) > 0, there is an arc with weight F{x^ y) from node x to node y. Given a 
node X, either a place or a transition, its preset is defined as *x = {y\{y, x) € F} 
and its postset as x* — {y\{x, y) G F}. For a node y, Pre[X, y] is a vector whose 
i-th component is equal to F{xi, y). A transition (place) whose preset is empty is 
called source transition (place), a transition (place) whose postset is empty 
is called sink transition (place). A place p such that \p*\ > 1 is called choice 
or conflict. If |*p| > I, p is called merge. Two transitions t and t' of a net N 
are said to be in Equal Conflict Relation | if Pre[P,t] = Pre[P,t'] 0. A 
marking p is an n- vector p = (pi, /i 2 , ..., p„) where n = \P\ and pi is the non- 
negative number of tokens in place pi. A transition t such that each input place pi 
is marked with at least F{pi, t) tokens is enabled and may fire. When transition 
t fires, F{pi,t) tokens are removed from each input place pi and F{t,pj) tokens 
are produced in each output place pj . 

The following PN properties, that are decidable for any Petri Net are 

relevant in our discussion: 1) Reachability. A marking p' is reachable from a 
marking p if there exists a firing sequence a starting at marking p and finishing 
at p' . 2) Boundedness. A Petri Net is said to be fc-bounded if the number of 
tokens in every place of a rechable marking does not exceed a finite number k. A 

^ Two inputs have independent rate if their rates are not rationally related. An example 
of inputs with independent rate are the input keys from a keyboard. Instead, two 
streams of PCM samples for stereo audio are inputs with dependent rate. 

^ The Equal Conflict Relation is an equivalence relation that partitions the set of 
transitions of the net into a set of equivalence classes called Equal Conflict Sets 
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safe Petri Net is one that is 1-bounded. 3) Deadlock-freedom. A Petri Net is 
deadlock-free if, no matter what marking has been reached, it is possible to fire 
at least one transition of the net. 4) Liveness. A Petri Net is live if for every 
reachable marking and every transition t it is possible to reach a marking that 
enables t. 

Definition 1. A PN is a Weighted (W)T-System z/Vp G P : |p*| = |p*| = 1. 



Definition 2. A PN is a Conflict Free (CF) Net i/Vp G P : |p*| < 1. 



Definition 3. A PN is an Eqnal Conflict (EC) Net if *t H t* 0 

Pre[P, t] = Pre[P, t'] . 



3 Static Scheduling of Weighted T-Systems 

Weighted T-Systems (WT-Systems) | is a subclass of PNs that can represent 
concurrency and synchronization but not conflict and, therefore, is used to model 
specifications including pure data computation. WT-Systems can be mapped to 
Synchronous Dataflow networks where transitions are actors and places arcs; 
hence, one can apply to WT-Systems the well-known techniques for SDF schedul- 
ing The approach proposed by Lee | to find a static schedule for an SDF 
graph is based on the notion of finite complete cycle. 

Definition 4. Given a Petri Net and an initial marking, a finite complete 
cycle is a sequence of transition firings that returns the net to its initial marking. 

Since both the number of transition firings in a finite complete cycle and 
the tokens produced by each firing are finite, the number of tokens that can 
accumulate in any place of the net during the execution is bounded. If such 
a finite complete cycle exists, the net can be executed forever with bounded 
memory by repeating infinitely many times this sequence of transition firings 
(figure^ • Therefore, in ^ ^ static schedule is a periodic sequence of transitions 
and the period is a finite complete cycle. 




a =tltltltU2t2t3 a =tltltltlt2t2t3 

( 0 , 0 ) >-( 0 , 0 ) >-( 0 , 0 ) ... 

Fig. 1. Cyclic schedule 



® Weighted T-Systems generalize Marked Graphs allowing arcs with non-unit weights 
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The problem of finding a finite complete cycle for a net can be reduced to the 
reachability problem, that is known to be decidable In terms of reachability 
the goal is to find a sequence of transitions a that starting from the marking 
^ returns the net to the same marking /i. To find a, one must first solve the 
state equations Ini -0 = 0. Here, is a matrix where the i-th row 

corresponds to a transition the j-th column corresponds to a place pj, and 
D[i,j] = F{ti,pj) — F{pj, ti). A solution /(cr), called T-invariant Q, is a vector 
whose i-th component /i(cr) is the number of times that transition ti appears in 
sequence a. 

Definition 5. A Petri Net is consistent ijf3f{cr) > 0 s.t. f{oY ■ D = 0. 

The existence of a T-invariant is a necessary, but not sufficient condition for 
a finite complete cycle to exist. In fact, even if there exists a solution of the 
state equations, deadlock can still occur if there are not enough tokens to fire 
any transition. Therefore, once a T-invariant /(cr) is obtained, it is necessary to 
verify by simulation that there exists a sequence at that contains transition tj as 
many times as /j(cr) and such that the net does not deadlock during execution. 
Such a sequence ai, if it exists, is a finite complete cycle. Lee Q has shown 
that it is sufficient to simulate the firing sequences corresponding to the minimal 
vector! in the one-dimensional T-invariant space. This approach can be adopted 
for WT-Systems, but it is not adequate for larger classes of PNs containing non- 
deterministic choices H 




Fig. 2. Schedulable (a) and not schedulable (b) EC nets 



° A T-invariant is minimal when its set of non-zero entries is not a strict superset of 
that of any other T-invariant and the greatest common divisor of its elements is one 

Nets containing non-deterministic choices may have two or more T-invariants that 
are linearly-independent (figure 
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4 Quasi-static Scheduling of ECN 

4.1 Definition of Schedulability 

Let S = {(Ti,(T 2 ---} be a non-empty finite set of finite firing sequences such 
that for all Ui G S, Ui is a finite complete cycle. Let a\ be the j-th transition in 
sequence = {(rial ...af') and let 0 be the characteristic function 
of the Equal Conflict Relation, i.e. 0{t,t') = 1 iff t and t' are in Equal Conflict 
Relation. 

Definition 6. The set S is a valid set of finite complete cycles if: 

(1) V(Ti e E, Vcr- G (Ji s.t. al yf erf V/i < j, Vtfc G T s.t. tfc yf a\ and 0{tk, al) = 
1, 3(7/ G E s.t. 

(a) ar = err, Vm < j - 1 

(b) aY" = tk, m=j 

(2) V(Ti G E, there exists no transition t ^ at that is always enabled when ai is 
executed (fairness). 

This definition informally means that for each sequence ct/ that includes a 
conflict transition al, for each transition tk that is in Equal Conflict Relation 
with al, there exists another sequence ai s.t. ai and cr/ are identical up to the 
(j-l)th transition and have respectively al and tk at the j-th position in the 
sequence. Condition 2 (fairness) guarantees that there is no transition that, al- 
though always enabled during a cycle, is never executed. This definition allows for 
some transitions to be dead; liveness checking is trivially done once T-invariants 
have been derived. 

Definition 7. Given an EC net N and an initial marking a valid set of finite 
complete cycles E is executable if the net does not deadlock when its execution 
is simulated. 



Definition 8. A valid set of finite complete cycles E is a valid schedule if it 
is executable. 



Definition 9. Given an EC net N^and an initial marking p,Q, the pair (N,p.o) 
is (quasi-statically) schedulable, if there exists a valid schedule. 

This definition of schedulability extends to EC nets the concept of WT- 
System scheduling given in Section Q If the net contains non-deterministic 
choices that model data dependent structures like if-then-else or while-do, a 
valid schedule is an executable set of firing sequences, one for every resolution of 
non-deterministic choices. A valid schedule must contain a finite complete cycle 
for every possible outcome of a choice because the value of the control tokens is 
unknown at compile time when the valid schedule is computed. 



We consider only EC nets whose underlying undirected graph is connected, i.e. nets 
such that there exists an undirected path between every pair of nodes. 
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Executability is required because, in the case of strongly-connected EC net 
fragments, it is possible that successive choice resolutions belong to different 
branches, and hence accumulate tokens in various branches and cause deadlocks 
even when each subnet including only one branch by itself does not. An example 
is shown in Figure J where both the subnets including in one case 
in the other are fireable in isolation. However, when t2 and fire in 

sequence, the complete net deadlocks (one token in p2 and one token in are 
not sufficient to fire any transition). 



We can also consider the scheduling problem as a game played against an 
adversary who can arbitrarily choose among conflicting transitions and has the 
goal of accumulating infinitely many tokens in any place of the net. Then, our 
objective is to find a non-terminating bounded memory execution by matching 
his choices with a cyclic schedule that returns the net to the initial marking. 

Let us consider three examples. Given the net in figureB-? ^ (tits 

ts)} is a valid schedule because it contains a firing sequence for every value of 
the tokens in place pi, i.e., whatever conflicting transition fires among t2 and ts, 
it is possible to complete the cycle that returns the net to the initial marking by 
firing ts or ts respectively. The net shown in figureH) is not schedulable because 
there is no set of finite complete cycles that satisfies Definition 6. For example 
the set S = {(tit2titst4), (titstit2t4)} is not valid because it does not contain 
any firing sequence beginning with tit2t\t2- This corresponds to the fact that, in 
case transition t2 (ta) is always fired, there exists no firing sequence that returns 
the net to the initial marking and therefore unbounded accumulation of tokens 
occurs in place p2 (ps)- 




a p2 t4 p4 

2 I 2 



t6 



Fig. 3. EC net without executable S 




t4 



t3 



p3 



t5 



Fig. 4. Schedulable EC net with weighted arcs 
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The net shown in figureHis schedulable and S = is 

a valid schedule. The weight two on the input arc of transition implies that t2 
has to fire twice before transition is enabled. However, there is no guarantee 
that this happens within a cycle because it is not possible to know a priori 
which transition among t2 and fires. So, if transitions tit2t\t^t^t^ fire in this 
order, one token remains in place p2 and the net does not return to the initial 
marking. The net is considered schedulable because repeated executions of this 
sequence do not result in unbounded accumulation of tokens (as soon as there 
are two tokens in place p2 , transition t4 is fired and the tokens are consumed) . 
The last example shows that a valid schedule does not necessarily include all 
the possible cyclic firing sequences, some even of infinite length, that can occur 
depending on the resolution of the non-deterministic choices (in this case the 
set would be fit2(tit3t5t5)"'tit2t4, Vn G IN U {oo}). A valid schedule 

should be intended only as a complete set of cyclic firing sequences that ensure 
bounded memory execution of the net. The set is complete in the sense that it 
is possible to derive from it a C-code implementation of the schedule including 
all the sequences that can occur, as we discuss in Section 5. 

4.2 How to Find a Valid Schedule 

The algorithm is composed of two steps: 1) find a valid set of finite complete 
cycles, 2) check if the set is executable. Let us consider step 1. To find a valid set 
of finite complete cycles the net is first decomposed into as many Conflict Free 
(CF) components as the number of possible solutions for the non-deterministic 
choices of the net. Then, each component is statically scheduled. If every com- 
ponent is schedulable, we take a set that contains one finite complete cycle for 
each CF component. If at least one of the CF components is not schedulable, 
the net itself is said to be not schedulable. 

Definition 10. Let N = (T, P, F) and N' = {T\ P' , F') be two PNs. N' is a 
subnet of N if T' CT, P' CP and F' = F n {{T' x P') U (P' x T'))- 

Definition 11. A subnet N' is a transition-generated subnet of N if P' is 

the set of all predecessors and successors places in N of the transitions inT' (i.e. 
t£T' C P'f t C P'). 

Definition 12. A T-component N' of a net N is a set of transition- generated 
subnets such that each of them is a consistent Conflict Free net and for each 
initially enabled transition t in N' , there exists a T-invariant containing t. 

The net in figure ^ is not a T-component: it is consistent because there 
exists a T-invariant (/(cr) = (0,0, 1, 1)), but there is no T-invariant containing 
transition ti. This corresponds to unbounded accumulation of tokens produced 
by the source transition ti occurring in place pi. 

Definition 13. A T-component N' is (statically) schedulable if there exists a 
firing sequence that returns it to the initial marking without any deadlock when 
its execution is simulated. 
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t4 



Fig. 5. Conflict Free net 




Fig. 6. Not schedulable EC net 



Definition 14. A T-allocation over an EC net is a function a : P ^ T that 
chooses exactly one among the successors of each place (Vp G P, a{p) G p*). 



Definition 15. The T-reduction associated with a T-allocation is a set of sub- 
nets generated from the image of the T-allocation using the following Reduction 
Algorithm. 

Let Ci,C 2 , ...Cm be the Equal Conflict Sets deflned in Section 2.3 as the 
equivalence classes of the Equal Conflict Relation and ai the i-th T-allocation 
containing at most one transition for every Cj . The T-reduction Ri = (Tn. , Pfi- , 
PrJ corresponding to T-allocation ai is generated as follows (see AgureH- 

Reduction Algorithm (Modified from Q) 

1. R, = N (Tfl. = T, Pn^ = P, Fh, = F). 

2. For all t^ G Tji^ and tk ^ Oi 

(a) Remove t^. 

(b) Vs G f*, remove place s unless one of the following conditions holds: 

i. s has a predecessor transition different from tk (3t G* s s.t. t G Tr.). 

ii. the successor transition of s has a predecessor place that is different 
from s and is not a source place {3t G* (*(s*)) s.t. t G Tr.). 

(c) If Si is a removed place, Vtj G s*, remove tj if one of the following 
conditions holds: 

i. tj has no predecessor place {\*tj \ = 0). 

ii. all predecessors of tj are source places. In this case remove every 
s G tj. 

(d) Apply the previous two steps until they cannot be applied any longer. 
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t2 p2 p4 




t2 p2 '4 p4 




t2 p2 p4 




t2 p2 p4 




t2 p2 p4 




Step 4) Remove p6 (but cannot remove p5 

T- allocation A 1 = { 1 1 , t2,t4,t5 ,t6,t7 } 
T-reduction R1 is inconsistent. 



Step 5) Remove t7. Stop. 



Fig. 7. How to obtain a T-reduction from the net shown in figure 6 



Intuitively, the algorithm removes the part of the net that is inactive when the 
conflicting transitions included in the T-allocation are always chosen. Inactivity 
should be interpreted for a transition as the capability of firing only a finite 
number of times For places inactivity means having empty presets in the 
current net. Let us consider the EC net in figure apply the Reduction 
algorithm to compute the T-reduction from the T-allocation Ai in figure Q 
First, unallocated transitions (ts and tg) are removed. Then, successor places 
of every removed transition (in this case ps) are deleted unless they are merge 
places with undeleted predecessor transitions or their successor is a transition 
feeded by at least one active places. The next step consists of the elimination of 
the transitions that are successors of places deleted in the previous step. At this 
point, transitions are deleted only if they have no predecessor places (so we can 
remove transition tio) or all the predecessor places are inactive. The last two 
steps are iterated until no new node is deleted. In this example, the algorithm 
does not continue because place ps cannot be removed since it has a predecessor 
transition (fn). When the final T-reduction obtained by applying this algorithm 
contains one or more inactive places, the net is not schedulable, since these places 
contain only a finite number of tokens and do not allow infinite execution. 

Theorem 16. The T-reduction Ri obtained by applying the reduction algorithm 
is 

1. a set of transition- generated Conflict Free nets {R\^ R^, ...Rf^}. 
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2. a T-component of N iff every subnet R\ is consistent and for each initially 

enabled transition t € Ri there exists a T-invariant containing t. 

Proof. 1. Each Ri is a Conflict Free net by construction because it contains at 
most one transition for every Equal Conflict Set. Let’s show that each subnet ob- 
tained from the Reduction Algorithm is transition-generated. We need to prove 
that Vtfc S and Vs S s G Rp.. Consider places s G t*, the algorithm 

does not remove a place s if G *s s.t. t G Rpi (Reduction Algorithm (b)i). For 

places s G* tk, s is removed only if all other predecessor places of tk are source 
places (Reduction Algorithm (b)ii). In this case at the next iteration step also 
tk is removed (Reduction Algorithm (c)ii). Therefore, if t G Rpi t* U* t C Rp.. 

2. Both directions trivially follow from part 1 of Theorem and Definition 

Definition 17. An EC net N is T-allocatable if every T-reduction generated 
from a T-allocation is a T-component. 

Theorem 18. A set of finite complete cycles S that does not contain at least 
one finite complete cycle for every T-reduction is not valid. 

Proof. By contradiction. Assume that a set of finite complete cycles E not in- 
cluding any finite complete cycle for a T-reduction and including one finite com- 
plete cycle for any other T-reduction is valid. Consider two T-reductions: Rj 
derived from T-allocation Aj and Ri derived from Ai. Ri and Rj contain the 
same set of allocated transitions except for transitions tm and such that 
0{tm,tn) = 1 and tm G Ri and tn G Rj. Since 27 is a valid set and includes one 
finite complete cycle aj for Rj, by Definition 6 it includes a sequence ax that 
is equal to aj upto transition and has transition tm instead of tn, while all 
the other allocated transitions that appear in aj appear also in ax- Sequence ax 
can be a finite complete cycle only for Ri since no other T-reduction contains 
the same set of allocated transitions as Rj (except tm)- This contradicts the hy- 
pothesis that 27 contains no finite complete cycle for T-reduction Ri. Therefore, 
the assumption that 27 is valid was not true. 

The following fundamental theorem states that T-allocatability, together 
with schedulability of every T-component, is a necessary and sufficient condition 
for the existence of a valid set of finite complete cycles. A net is T-allocatable if 
for all its components, each of them corresponding to a sequence of choices, there 
exists a cyclic schedule containing at least one occurrence of every initially en- 
abled transition of the component. This means that a T-allocatable net, if there 
is no deadlock during execution of the cyclic schedules, can be executed forever 
with bounded memory, because for every choice there is always the possibility 
to complete successfully a finite cycle of firings that returns the net to the initial 
marking. Intuitively, T-allocations can be interpreted as control functions that 
choose which transition fires among several conflicting ones and therefore which 
component of the net is active at every cycle. 

Theorem 19. Given a EC net, there exists a valid set of finite complete cycles 
iff it is T-allocatable and every T-component is schedulable. 
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Proof. (^) Let us prove that if the net is not T-allocatable or there exists a 
T-component that is not schedulable, there exists no valid set of finite complete 
cycles. 

— Case 1: the net is not T-allocatable. This means that there exists at least 
one T-allocation Ai for which the generated T-reduction Ri is not a T- 
component. This may occur either if Ri is not consistent or if there exists 
at least an initially enabled transition tk G Ri such that no T-invariant of 
Ri contains tk- In the first case, i.e. Ri is not consistent, there is no finite 
complete cycle for the T-reduction Ri (i.e. for some non-deterministic choice 
resolutions there is unbounded accumulation of tokens) . In the second case, 
i.e. there exists a finite complete cycle fcci for Ri but not including transition 
tk, this finite complete cycle cannot be included in the valid set S because 
it does not satisfy the fairness condition of Definition 6. In both cases, any 
set S of finite complete cycles does not contain a finite complete cycle for 
T-Reduction Ri. For Theorem 18, S is not a valid set of finite complete 
cycles. 

— Case 2. If a T-component Ri is not schedulable, there is no finite complete 
cycle for Ri and using the same argument above there exists no valid set of 
finite complete cycles. 

(<;=) By construction. The net is T-allocatable and each T-component is a 
schedulable Conflict Free net. We derive a valid set of finite complete cycles 
S, as follows: first of all, consider an arbitrarily chosen T-component TCi and 
insert in 27 a finite complete cycle ai containing at least one occurrence of every 
transition in TCi ■ Then, iterate for all sequences in 27 the following step: for 
every first occurrence of each conflicting transition tm G ai insert in 27 a finite 
complete cycle aj for the T-component TCj which contains the same allocated 
transitions as TCi except for instead of tm- Choose aj so that it begins 
with the same subsequence as ai upto the different allocated transition where 
it contains instead of tm. Also, aj must contain at least one occurrence of 
every transition in TCj. The set 27 derived following the above rules satisfies 
Definition 6. Condition (1) is trivially satisfied by construction. Condition (2) 
holds because aj contains at least one occurrence of every transition of TCj and, 
since all the transitions of the net not in TCj were removed in the Reduction 
process, they cannot be enabled for all markings reached by aj. 

To check if a given net is T-allocatable, it is necessary to verify that every 
T-reduction obtained from the Reduction Algorithm is a T-component. For this 
purpose one must solve the state equations for every subnet of the T-reduction 
and check consistency; in the case any subnet of the T-reduction contains merge 
places, it is also necessary to check for this subnet that every transition initially 
enabled is in the support of at least one T-invariant. To detect if a T-component 
is schedulable the simulation based technique for WT-Systems described in Sec- 
tion 3 is used. At this point, finite complete cycles are derived from the T- 
invariants. 

In term of complexity, the number of T-reductions (and therefore the number 
of applications of the Reduction Algorithm that computes them) is exponential 
in the number of conflicting transitions. However, simple heuristics can be used 
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to reduce the cost of the algorithm in most practical cases The cost of 

computing a static schedule for each T-reduction is polynomial^. 

Let us describe two examples. 

The EC net presented in figureHis not T-allocatable. FigureHshows the steps 
of the Reduction Algorithm applied to T-allocation Ai = (ti, t 2 , UAsAe, i?}- 
The generated T-reduction i?i, that is inconsistent because it contains an in- 
active place, is not a T-component and the net is not T-allocatable. Therefore, 
there exists no valid schedule for this EC net. In fact, if sequence a = (tit 2 t 4 ) is 
fired infinitely often, there is unbounded accumulation of tokens in place p 4 . 



(2 p2 t7 p6 t8 




Fig. 8. Schedulable EC net 



The EC net shown in figure J is T-allocatable. The T-components corre- 
sponding to the four T-allocations are represented in figure^ To find a valid set 
of finite complete cycles we solve the state equations for each T-reduction. Let us 
consider T-Reduction i?i. The T-invariants of are (1,1, 0,0, 0,0, 1,1, 1,0, 0,0) 
and (0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 1). From the T-invariants a finite complete cycle is 
derived only after simulation checks that there is no deadlock. The same proce- 
dure is repeated for each T-reduction and a valid set of finite complete cycles for 
this EC net is {(tlt2t7^8^9^4t5^11^12tg), (tlt3^10^12t9t4t5^11^12t9), (tlt2t7i8^9^4t6)i 
(tlt3^10^12t9^4t6)}- 

Once a valid set of finite complete cycles is obtained, we need to check exe- 
cutability, i.e. whether there are enough tokens at the initial marking to execute 
all the finite complete cycles without a deadlock. The existence of a valid set 
of finite complete cycles guarantees by definition that each finite complete cycle 
is executable in the subnet in which the finite complete cycle was found. How- 
ever, if the EC net contains a strongly connected subnet with a choice (figure 
B, we must conduct an executability check for each of such structures since 
executability of each component does not imply executability of the whole net. 

Consider the net shown in Figure^ Two T-invariants are obtained as {t 2 t 2 t 4 tQ 
and ^ where each is defined for a subnet correspond- 

ing to a simple cycle of the figure. When the executability of each T-invariant is 
checked for its subnet, we conduct a symbolic simulation. We assign a variable 
for each of the places in the subnet that are choices in the original EC net and 
have initial tokens, e.g. a variable at the place p\ in the subnet for the first 
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A3={tl,t2,t4,t6,t7,t8,t9,tl0,tl l,tl2} A4={tl,t3,t4,t6,t7,t8,t9,tl0,tl l,tl2} 

Fig. 9. T-components 



T-invariant above (upper cycle in the figure). We then simulate the T-invariant, 
using these variables as the initial numbers of tokens at such places while we use 
the actual number of tokens for a place that is initially marked but no variable 
is defined for. The result of the simulation is an inequality of the variables such 
that given initial numbers of tokens allow the T-invariant to be executed if and 
only if the inequality holds. For our example, we obtain > 2, which means 
that the place pi must have at least two tokens in order to execute the first T- 
invariant in its subnet. Similarly, for the second T-invariant, we obtain p) > 2, 
where p\ is the variable defined at pi for the corresponding subnet. Since pi is 
initially marked with two tokens, we also have an equation p^^^ +Pi^^ = 2. Now, 
a value of each variable represents the number of tokens at the place that can be 
used to fire transitions in the corresponding subnet. Thus E is executable if for 
every integer assignment of these variables which satisfies the equation, at least 
one of the inequalities holds. Equivalently, E is not executable if there exists 
an integer solution which satisfies the equation but none of the inequalities. In 
this example, by reversing the directions of the inequalities, our problem is to 
find a solution for the system made of p^^^ -I- p^^^ = 2, pj^^ < 2, and pj^^ < 2. 
Since pj^^ = = 1 is such a solution, we conclude that this valid set of finite 

complete cycles is not executable. In general, we obtain a set of inequalities and 
equalities, where each inequality is a boolean disjunction of linear equations and 
each equality is a linear equation. The problem can be solved by iteratively solv- 
ing an integer programming. Alternatively, the equalities and inequalities may 
be represented using decision diagrams, e.g. Q, and the existence of a solution 
can be found with a constant time by tautology checking. 
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4.3 BDF and Petri Nets 

The problem of scheduling specifications containing data-dependent control was 
first addressed in Buck and Lee 0 introduced the Boolean Data Flow (BDF) 
networks model and proposed an algorithm to compute a quasi-static schedule. 
However, the problem of scheduling BDFs with bounded memory is undecidable, 
i.e. any algorithm may fail to find a schedule even if the BDF is schedulable. 
Hence, the algorithm proposed by Buck can find a solution only in special cases. 
On the contrary, schedulability of PNs is decidable as a consequence of the de- 
cidability of the reachability problem PNs and Boolean Dataflow networks 
(BDF) B, both used to model specifications containing data-dependent con- 
trol, have different expressive power. One difference is in the semantics of the 
communication channels among blocks. Channels in BDFs are FIFO queues that 
preserve the order of the valued tokens. Instead, PNs do not have FIFO seman- 
tics because the tokens do not carry values Q. This implies also that in the 
PNs model, differently from BDF, there can be no correlation among the results 
of different non-deterministic choices. The latter property in particular implies 
that some schedulable BDF nets are not schedulable when modeled as an EC 
net, just as some schedulable BDFs are not schedulable according to 

BDF is a determinate model, since all the valid executions of the network 
produce the same token streams regardless of the order in which the actors are 
executed Q, while PNs are not determinate when they contain merge places. 
However, it is possible to make a PN determinate by imposing appropriate condi- 
tions to the schedule. For example, the net shown in figure^J is not determinate 



t2 t4 16 




13 15 17 



Fig. 10. Example of non-determinate PN 



because of the presence of the non-deterministic merge, i.e. there is no guaran- 
tee on the order of the tokens in the output stream if tQ and are concurrently 
enabled. To enforce determinacy, it is necessary to impose some restrictions to 
the scheduler and ensure that the states where two merging transitions are con- 
currently enabled are never reached. One way is to allow tokens to enter the net 
(i.e. firing ti) only if no other transition is enabled. Further investigation in this 
direction is necessary to formally define and prove the conditions under which a 
PN is determinate. 
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5 C-Code Generation 

The final goal of this paper is the synthesis of a software implementation | 
that satisfies functional correctness and minimizes a cost function of latency and 
memory size. In general, such implementation consists of a set of software tasks 
that are invoked by the Real Time Operating System either by interrupt or 
polling. Our approach for software synthesis derives an implementation directly 
from a valid schedule, that should be intended as an intermediate description, 
containing in explicit form a set of rules, such as number and order of firing of 
transitions, that an implementation should follow to guarantee bounded memory 
execution. In this Section we show how to generate from a valid schedule an im- 
plementation that consists of as many fragments of C code {tasks) as the number 
of source transitions with independent firing rate. Transitions with independent 
firing rate cannot be quasi-statically scheduled together and therefore a task is 
composed only of transitions with dependent firing rates, that are transitions 
belonging to the same T-invariant. 



Schedule (E ) 

while {ti ^ EOS) { Task(li,i); i = i + 1; } 

Task (E,i) 

while {ti ^ EOT) { if ti is already visited 
then{ insert goto label ti } 
else{ 

if ti is a conflicting transition { insert if..then..else } 
if f{ti) < f{ti-i) { insert counting var and if test } 
if f{ti) > f{ti-i) { insert counting var and while test } 
if f{ti) = f{ti-i) { insert b } } } 
end Task 



Fig. 11. Pseudo-code of the code generation algorithm 



A pseudocode description of the algorithm that generates C code is shown in 
figure^|(EOS means End of Sequence and EOT means End of T-Invariant) . The 
routine Schedule visits all the transitions in the valid schedule E, by calling the 
routine Task every time a new T-invariant is visited. Task checks if a transition 
has already been visited and, if so, inserts a label and a goto to avoid repetition 
of code. This corresponds to the presence of a merge place in the EC net model 
that yields code patterns which are common either to the branches of an if-then- 
else or are shared by different tasks. Instead, if the transition currently visited is 
a conflicting one, an if-then-else structure is generated and the code in the two 
branches is synthesized by traversing the two finite complete cycles of E contain- 
ing the conflicting transitions. In case of multirate nets, a variable counting the 

® We consider uni-processor architecures, that are used for most embeeded systems 
applications like cellular phones, multimedia set-top boxes etc. 
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number of tokens and a test are used to determine whether an operation should 
be executed. Figure^Jprovides an example of C program generated for the net 
shown in figureHand whose valid schedule is if = . 



while (true) { 
ti; 

if (pi) { 

t2\ count(p2)-l— f; 
if (count (P2) == 2 ) { 

count(p2)- = 2 ; } 

} else { 

ts; count ( p 3)-|-=2; 
while (count(p3 > 1 ) { 
ts; count(p3)- -; } } } 

Fig. 12. C code for the EC net of figure 4 



6 Experimental Results 

We applied our algorithm to synthesize a software implementation of a real 
life embedded system: an ATM server for Virtual Private Networks Q. The 
main functionalities of the server are (1) a message discarding technique (MSD) 
that avoids node congestion and (2) a bandwidth control policy based on a 
Weighted Fair Queueing (WFQ) scheduling discipline. Figure gives a high- 
level description of the algorithm. The inputs of the system are Cell, an interrupt 
that occurs at irregular times when a non-empty cell enters the Server and Tick, 
an event that periodically triggers the process of forwarding the next outgoing 
cell to the output port. Therefore, Cell and Tick are inputs with independent 
firing rate. The module MSD decides whether an incoming cell must be accepted 
and the module CELL_EXTRACT selects, every cell slot, which cell must be 
emitted among those stored in the internal buffer. WFQ_SCHEDULING may be 
activated either by MSD or by CELL .EXTRACT and computes the cell emission 
time. We have chosen this example because it implements a data-dominated 
algorithm containing several data-dependent control structures. We modeled the 
algorithm using a ECN containing 49 transitions and 41 places (figure ^J)), of 
which 11 non-deterministic choices. From the ECN model we could derive a valid 
schedule containing 120 finite complete cycles, one for each different T-reduction, 
and from the valid schedule we obtained a software implementation composed 
of two tasks, one for each input with independent firing rate. 

In table I we compare two software implementations: the first, named QSS, 
was obtained using our Quasi-Static Scheduling based technique and consists 
of two tasks, the second, named functional task partitioning, consists of five 
tasks and was obtained by synthesizing separately one tasks for each of the five 
modules shown in figure The results, obtained using a testbench of 50 ATM 
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Sw implementation 


QSS 


Functional task partitioning 


Number of tasks 


2 


5 


Lines of C code 


1664 


2187 


Clock cycles 


1975261 


249726 



Table I 



cells, show that the number of clock cycles and the code size are significantly 
smaller for the QSS implementation that is composed of a smaller number of 
tasks and therefore has a smaller overhead due to tasks activation. 








Fig. 13. ATM Server functional description (a) and ECN model (b) 



7 Conclusions 

In this paper we have defined schedulability for Equal Conflict Nets and pre- 
sented a quasi-static scheduling (QSS) algorithm that finds a schedule, whenever 
there exists one. This result is important because QSS, maximizing the amount of 
work done at compile time, allows to reduce significantly the run-time schedul- 
ing overhead. Moreover, we have explained why EC nets are an appropriate 
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model for embedded systems specifications containing data processing and data- 
dependent control, and compared them with other models. We have showed how 
a valid schedule can be found by extending well-established techniques used for 
scheduling Weighted T-Systems, and presented also how to generate a C code 
implementation of the schedule. The presented algorithms have been applied to 
a real case study, an ATM Server, and their potential has been demonstrated. 
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Abstract. The model of recursive Petri nets (RPNs) has been intro- 
duced in the field of multi-agent systems in order to model flexible plans 
for agents. In this paper we focus on some theoretical aspects of RPNs. 
More precisely, we show that this model is a strict extension of the model 
of Petri nets in the following sense : the family of languages of RPNs 
strictly includes the union of Petri net and Context Free languages. Then 
we prove the main result of this work, the decidability of the reachability 
problem for RPNs. 



1 Introduction 

Since the introduction of Petri nets, even before the decidability of the reacha- 
bility problem has been solved, theoretical works have been developed in order 
to study the impact of extensions of Petri nets on this problem. For instance, the 
reachability problem is undecidable for Petri nets with two inhibitor arcs while 
it becomes decidable with one inhibitor arc or a nested structure of inhibitor 
arcs Eina. The self- modifying nets introduced by R. Valk have (like Petri 
nets with inhibitor arcs) the power of Turing machine and thus many properties 
including reachability are undecidable IVal7SalVal7sb1 . Introducing restrictions 
on self-modifying nets enables to decide some properties |DFbH8| (boundedness, 
coverability, termination,...) but the reachability remains undecidable. 

Recently Recursive Petri nets (RPNs) have been proposed for modeling plans 
of agents in a multi-agent system IMHhniMHhbl . A RPN has the same structure as 
an ordinary one except that the transitions are partitioned into three categories 
: elementary transitions, abstract transitions and final transitions. Moreover a 
starting marking is associated to each abstract transition. The semantics of such 
a net may be informally explained as follows. In an ordinary net, a thread plays 
the token game by firing a transition and updating the current marking (its 
internal state). In a RPN there is a dynamical tree of threads (denoting the 
fatherhood relation) where each thread plays its own token game. The step of a 
RPN is thus a step of one of its threads. If the thread fires an elementary tran- 
sition, then it updates its current marking using the ordinary firing rule. If the 
thread fires an abstract transition, it consumes the input tokens of the transition 
and generates a new child which begins its token game with the starting marking 
of the transition. If the thread fires a final transition, it aborts its whole descent 
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of threads, produces (in the token game of its father) the output tokens of the 
abstract transition which gave birth to it and dies. In case of the root thread, 
one obtains an empty tree. 

The modeling capabilities of RPNs can be illustrated in different ways. In a 
subsequent section, we present the modeling of faults within a system whereas an 
equivalent modeling by an ordinary Petri net is not known to be possible. RPNs 
enable also to easily model multi-level executions (e.g. interruptions). In case 
of planning of agents, abstract transitions model differed plannings of complex 
actions. 

As soon as a new model is proposed, a significant question (at least if a 
semantics of the firing sequence is possible) is to know whether the model is 
really an extension or simply an abbreviation. For instance the model of colored 
Petri nets with finite color domains is an abbreviation whereas allowing infinite 
domains extends the ordinary Petri nets. In case of RPNs we show that this 
model is a strict extension of ordinary Petri nets. Our proof is based on a result 
in which establishes that the palindrome language is not a Petri net lan- 

guage (even in the largest definitions). Thus we exhibit a RPN which recognizes 
this language. Moreover, we prove that RPN languages strictly include the union 
of Context Free and Petri net languages. 

Then we tackle with the main question about strict extensions of Petri nets: 
does the reachability problem remain decidable ? This question is theoretically 
important as it seems a limit result. Recently in jHeih.'ij . it has been stated that 
reachability is decidable for Petri nets with one inhibitor arc (or more generally 
with a nested structure of inhibitor arcs). We prove that the reachability problem 
is also decidable for RPNs. Our proof is divided into three steps. First we prove 
that one can decide whether the thread initiated by an abstract transition can die 
by some sequence in which case we call such a transition a ’’closable transition” . 
Then we study the structure of a hypothetical sequence for the reachability and 
show that its existence is equivalent to the existence of sequences of reachability 
for initial and final states of less complexity (in terms of the size of their tree of 
threads). Finally we show that when the initial and final states are associated to 
one (or zero) thread, then the problem is equivalent to the ordinary reachability 
where the non closable abstract transitions are deleted and each closable one is 
replaced by an equivalent elementary one. 

The balance of the paper is the following. In Sect. El we define the RPNs, we 
give some examples in order to understand their behavior and their modeling 
capability. Then, we show that the model is a strict extension of Petri nets and 
that their languages strictly include the union of Petri net and Context Free 
languages. In Sect. El we prove the decidability of the reachability problem. In 
the last section, we conclude giving some perspectives to this work. 
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2 Recursive Petri Nets 

2.1 Structure 

A recursive Petri net is defined by a tuple N = {P, T, W~ , W~^, Q) where 

— P is a finite set of places. 

— r is a finite set of transitions. 

— A transition of T can be either elementary, abstract or final. The sets of 
elementary, abstract and final transitions are respectively denoted by Tg/, 
Tab and Tfi (with T = Tab W where l±l denotes the disjoint union). 

~ W~ and W+ are the pre and post flow functions defined from P x T to IN. 

— 17 is a labeling function which associates to each abstract transition an or- 
dinary marking (i.e. an element of IN^). 

An extended marking tr of a recursive Petri net N = {P, T, W~ , W~^ , 17) is 
a labeled tree tr = {V, M, E, A) where V is the set of vertices, M is a mapping 

V IN^, E C V X V is the set of edges and A is a mapping E Tab- We 
denote by vo{tr) the root node of the extended marking tr. The edges E build a 
tree i.e. for each v different from vo{tr) there is one and only one (v' , v) € E and 
there is no {v,vo{tr)) € E. Any ordinary marking can be seen as an extended 
marking composed by a unique node. The empty tree is denoted by T. 

Remark: An extended marking does not depend on V the set of vertices. 
Given two extended markings, if there is a one-to-one mapping between the two 
sets of markings which preserves the set of edges, the labeling of vertices and of 
the edges then the two markings are equal. 

A marked recursive Petri net {N, tro) is a recursive net N associated to an 
initial extended marking trg. This initial extended marking is usually a tree 
reduced to a unique vertex. 

For a vertex v of an extended marking, we denote by pred{v) its (unique) 
predecessor in the tree (defined only if v is different from the root) and by Succ{v) 
the set of its direct and indirect successors including v (Vu G V, Succ(v) = {u' G 

V I {v,v') G E*} where E* denotes the reflexive and transitive closure of E). 

A branch hr of an extended marking tr is one of the subtrees rooted at a son 
of uq {tr) . One can associate to a branch a couple {t, tr) where t is the abstract 
transition which labels the edge leading to the subtree and tr the subtree taken 
in isolation. Let us note that the couple {t, tr) characterizes a branch. 

In other words, given an extended marking tr, a branch br with its couple 
{t,tr') fulfills : tr' is a sub-tree of tr verifying {vo{tr),vo{tr')) G E (i.e. in tr, the 
root of tr' is a direct successor of the root of tr) and A{vo{tr),vo{tr')) = t (i.e. 
in tr, the arc between the root of tr and tr' is labeled by t). 

We denote by Branch{tr) the set of branches of an extended marking tr and 
by branch{tr, t) the subset of Branch(tr) where the edge leading to the subtree 
is labeled by t. 

We denote by (m,Br), where m is an ordinary marking and Br a set of 
branches, the extended marking tr verifying M{vo{tr)) = m A Branch{tr) = Br. 

The depth of an extended marking is recursively defined as follows : let m 
be an ordinary marking and tr an extended marking. 
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— depth(J-) = 0 

— depth{m) = 1 

— depth{tr) = max{{depth{tr') \ 3{t,tr') G Branch{tr)}) + 1 



2.2 Semantics 

A transition t is enabled in a vertex v of an extended marking tr iff Vp G 
P,M{v){p) > W~ {p, t). In other words, the thread associated to each node uses 
the same rule for the enabling of a transition as for ordinary Petri nets. 

We denote by tr—^ that there exists a node v of tr in which the transition 
t is Arable. 

The firing of an enabled transition t from a vertex v of an extended marking 
tr = {V, M, E, A) leads to the extended marking tr' = {V, M' , E' , A') depending 
on the type of t: 



t is an elementary transition {t G Tej). The thread associated to v fires such 
a transition as for ordinary Petri nets. The structure of the tree is unchanged. 
Only the current marking of v is updated. 

- V = V 

-WgV\ {u}, M'(u') = M{v') 

Vp G P, M' (v) (p) = M{v){p) — W~ {p, t) + VP+ (p, t) 

- E' = E 

- yeeE,A'{e)=A{e) 



t is an abstract transition {t G Tab)- The thread associated to v consumes 
the input tokens of t. It generates a new thread v' with initial marking the 
starting marking of t. Let us note that the identifier v' is a fresh identifier absent 
in V. 

- V = V\J{v’} 

- W G V \ {u}, M'(v") = M(v”) 

Vp G P, M' (v){p) = M{v){p) — W~{p,t) 

M'{v') = Q{t) 

- E' = l;u 

- ye&E,A'{e)= A{e) 

A'{{v,v'))=t 



t Is a Final Transition {t G Tfi). If the thread is associated to the root of the 
tree, the firing leads to the empty tree. In the other case, the thread associated 
to V produces the output tokens of the abstract transition which gave birth to 
it, in the marking of its father Then it (and its whole descent) dies. 
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— V = V\ Succ{v) 

— Wv' e \ {pred{v)}, M' {v') = M{v’) 

'ip e P, M' \pred{v)){p) = M{pred{v)){p) + W~^{p,A{pred{v),v)) 

- E' =En{V X V) 

- ie&E',A'{e)=A{e) 

We denote by tr-!^tr' that there exists a node v of tr such that the firing of 
t in V leads the net to the extended marking tr' . 

A firing sequence is usually defined : a transition sequence a = tofi ^2 ■■ - tn is 
enabled from an extended marking tro (denoted by tr^-E-i) iff there exists tri, 
tr 2 , . . . , trn such that tri-iAi^tvi for i G [1, n]. 

Important remark: In a firing sequence, we impose (w.l.o.g.) that any fresh 
identifier is new not only in the current tree but also in all the previous trees of 
the sequence. Such a restriction ensures that if the roots of two branches of two 
trees of the sequence are associated to the same identifier then they denote the 
same branch - with possible change of structure and marking. 

We denote by C{N,tro,Trf) (where Trj is a finite marking set) the set of 
firing sequences of N from trg to a marking of Try . This set is called the language 
of iV. 

Let (7 be a firing sequence and tr\, tr 2 , ■ ■ ■ , trn the extended markings visited 
by cr, the depth of a (denoted by Depth{cr)) is the maximal depth of tr\, tr 2 , 
fv 

2.3 Recursive Petri Nets versus Petri Nets 

In this section, we show that the recursive Petri net model is a strict extension 
of Petri nets. 

For this demonstration, we consider labeled recursive Petri nets. Such a net 
associates to a recursive net, a labeling function h defined from the transition 
set T to an alphabet S plus A (the empty word), h is extended to sequences 
and also to languages. The language of a labeled recursive Petri net is defined 
by h(£(lV,tro,Tr/)). 

The Fig.Hgives a marked labeled recursive Petri net. The marking associated 
to both abstract transitions is P. 

Figure El presents a prefix of its reachability graph. Notice that the complete 
graph is infinite. From the initial marking, all the transitions adjacent to the 
place P are enabled. The firing of the abstract transition labeled a consumes the 
token of the place P and leads to the construction of a successor node associated 
to the marking P. The arc between the two nodes is labeled by an a. The firing 
of the final transition labeled a from the initial marking leads to the empty tree. 

M. Jantzen has shown in ^Ta,n79j (see also p.am88j l that PAL{E) (for |r| > 
2) is not a Petri net language (allowing A-transitions) . 

We consider the language of the recursive net of the Fig. [H defined by the 
set of ending markings {T, P} (the two corresponding markings are represented 
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elementary transition 



= final transition 



abstract transition 



Fig. 1. recursive Petri net which generates palindromes on {a, 5} 




Fig. 2. a prefix of its reachability graph 



in bold in the Fig.|2|). This language is exactly PAL{{a,b}) which demonstrates 
that recursive Petri net model is a strict extension of the Petri net one. 

2.4 Expressive Power of Recursive Petri Nets 

Indeed, we show that recursive Petri net languages strictly include the union of 
Context Free and Petri net languages. 

Proposition 1 (Strict Inclusion). 

Recursive Petri net languages strictly include the union of Context Free and 
Petri net languages. 

Proof (Sketch). Like the complete proof is not particularly difficult, we only give 
a sketch of this proof based on simple example. 

It is clear that recursive Petri net languages include Petri net language. Then, 
we begin by the inclusion of Context Free languages. We consider a Context 
Free language defined by a set of symbols partionned in terminal symbols T 
and non-terminal symbols N . To each non-terminal symbol s G N is associated 
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a non-empty set {si, S 2 , • . • , s„} of words on T U iV. A particular non-terminal 
symbol sq is designated as the initial one. A word of the language is obtained 
by choosing word in the set associated to sq and then by iteratively substituting 
in it a non-terminal symbol by an element of the associated set until the word 
does not contain any non-terminal symbol. 

For a given Context Free language, we can construct a RPN having exactly 
the same language. 

For any set associated to a non-terminal symbol s, we build a particular 
subnet of the RPN. First, we add a place Pg. Each element of the set associated 
to s leads to the production of a sequence of transitions. Let Si be such an 
element. For each non-terminal symbol r composing Si, we add an abstract 
transition labeled by A and associated to the ordinary marking Pr- For each 
terminal symbol a, we add an ordinary transition labeled by a. Moreover, to 
each of these transitions we add an output place and give as input place the 
output place of the transition associated to the symbol preceding the considered 
one in the word Si. Finally, the input place of the first transition is designated 
to be Ps and a final transition labeled A is constructed at the output of the last 
place in the sequence. 

The initial extended marking is composed by only one node for which the 
ordinary marking is Pgg and the language that we consider is jC(N, tr^, {_L}). It 
can be shown that this language is exactly the considered Context Free language. 



-CMl- 



'F-O-IHO— I— O-i— O— 

C 

Fig. 3. a RPN modeling a Context Free language 




The Fig. EliHustrates this construction. The part of the RPN corresponding to 
a non-terminal symbol S associated to the set {aS'6, cDEF} is given. Symbols in 
uppercase are considered as non-terminal and the others as terminal. A transition 
associated to the symbol of the element of the set is designated by tij 
and the final transition is denoted fi. As an example, the abstract transition 
associated to E is denoted t 2 , 3 . The label A of the abstract and final transitions 
has been omitted. 

To demonstrate that this inclusion is strict, we present in Fig. 0 (added to 
the net of the Fig. [IJ a RPN for which its language is neither a PN one nor a 
Context Free one. The ordinary marking associated to the abstract transition Fq 
is the place P of the RPN in the Fig. 0 Moreover, its initial extended marking 
is composed by a unique node associated to the ordinary marking Pinu ■ We con- 
sider the language C{N, tro, {trf}) where trj is the extended marking composed 



Theoretical Aspects of Recursive Petri Nets 



235 




Fig. 4. a particular RPN 



by only one node associated to the empty ordinary marking. This language is 
exactly {wi,W 2 } where wi G Pal{{a,b}) and W 2 G {c".d".e"} with n > 0. This 
language is not a Petri net one (its projection on {a, b} gives Pal{{a, 5})) and is 
not a Context Free one (its projection on {c,d,e} gives {c".d”.e"'} with n > 0) 
which concludes the proof. □ 



2.5 Recursive Petri Nets and the Modeling of Faults 

In order to give insight to the improvements brought by RPNs, we present in the 
Fig. 0 an easy way to add faulty behaviors to a Petri net model. The required 
faulty behavior cleans up the current marking and restarts with the initial mark- 
ing. To the best of our knowledge, there is no general way to add such a feature 
to a Petri net. Only ad-hoc mechanisms are proposed for particular cases. 




Fig. 5. recursive Petri net modeling faults 



Let us look at our figure. The net is divided into three parts. On the right 
there is the Petri net of the correct behavior (in our formalism, all transitions are 
elementary). On the center there is the faulty behavior with some spontaneous 
faults (transition Hardware) and some conditioned faults (transition Software). 
For sakeness of the modeling, a control place F is added ; all the transitions of 
this part are final. On the left there is a simple initially marked loop with an 
abstract transition. The starting marking of this transition is the marking of the 
Petri net model of the correct behavior plus one token in the control place F. 

The behavior of the net may be described as follows. Initially and in all the 
crash states, the extended marking is reduced to one node with the loop place 
S marked. When the abstract transition is fired the correct behavior is ’’played” 
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by the new thread. If this thread dies by the firing of a faulty transition, we 
come back to the initial state and so on. 



3 Decidability of the Reachability Problem 



The reachability problem consists to determine if a given state is reachable from 
another one. 

This problem has been demonstrated to be decidable for ordinary Petri nets 
(see | IVI a.viS I [KosS2pi ja.miSiS] ) . The main result of this paper is that the reachability 
problem can be also decided for recursive Petri nets. 



3.1 Branches Structure of a Firing Sequence 

First, we characterize the different kinds of behaviors of branches inside a se- 
quence. 

Definition 2 (Permanent Branch). 

Let tr, tr' he two extended markings and a be a firing sequence from tr to 

tr' . 

A couple of branches {{ta,tra),{tb,tr}f)) € Branchftr) x Branchftr') denotes a 
permanent branch in <j if voftra) = voftrb). 

The previous definition expresses that the node vo(tra) is never removed by 
the firing of a final transition in vo(tra). Remark that in this case, we have 
necessary ta = h- 

If a branch is not permanent and occurs in the final marking then it has been 
“opened” by an abstract transition. 

Definition 3 (Opened Branch). 

Let tr, tr' be two extended markings and a be a firing sequence from tr to tr' . 
A branch (tb,trb) G Branchftr') denotes an opened branch in a if^{ta,tra) G 
Branch{tr),vo{tra) yf Vo{trb). 

In the same way, if a branch is not permanent and occurs in the initial 
marking then it has been ’’closed” by a final transition. 

Definition 4 (Closed Branch). 

Let tr, tr' be two extended markings and a be a firing sequence from tr to 
tr' . A branch (ta,tra) G Branchftr) denotes an closed branch in a ify(fb,trb) G 
Branch{tr'),vo{tra) yf Vo{trb). 

At last, some branches may appear in an intermediate marking and disappear 
before the final marking. 

Definition 5 (Transient Branch). 

Let tr, tr' be two extended markings and a he a firing sequence from tr to tr' . 
A branch (tc,trc) of an extended marking tr" visited by a is a transient branch 

if 

y(ta,tra) G Branchftr) U Branch(tr'),vo{tra) yf Vo{trc). 
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We want to split the (possibly empty) set of sequences which leads from 
the initial marking to the final marking depending on the behavior of branches 
of the initial and final marking. In the decision procedure, we will try to find 
successively a sequence in each of this subset. Let us note that the number of 
these subsets is finite. So an admissible combination of branches of the initial 
marking and final marking binds the permanent branches and the remainding 
branches are either closed (if they are in the initial marking) or opened (if they 
are in the final marking). 

Definition 6 (Admissible Combination of Branches). 

Let tr and tr' he two extended markings, an admissible combination of 
branches Cb{tr,tr') is defined by Cb(fr,tr') = {iit}igT'a6'S'Mc/i that 

— Vt G Tab,Rt C {branch{tr,t)U _L) x {branch{tr' ,t)U _L) A 

— yt G Tab,ybi G branch{tr,t), \Rt{bi,u)\ = 1 A 

— yt G Tab,ybj G branch{tr' ,t), \Rt{^,bj)\ = 1 A 

— VteTa6,|i?t(^,^)|=0 

The meaning of an admissible combination Cb{tr,tr') is the following. 

Definition 7 (Combination Respect). 

Lets a he a sequence from tr to tr' , then a respects Cb{tr,tr') ijf : 
yt G Tab,ybi G branch{tr,t),ybj G branch{tr' ,t) : 

— Rt{bi,l) implies a closes the branch bi, 

— Rt{-L,bj) implies a opens the branch bj and bj stays opened, 

— Rt{bi,bj) implies bi stays opened during the firing of a and corresponds to 
bj in tr' . 

The set of possible branch combinations of two extended markings tr and tr' 
is denoted CB{tr, tr'). It is clear that for any sequence there is one and only one 
admissible combination respected by the sequence. 



3.2 Closability of Abstract Transitions 

The first step for tackling the reachability problem is to determine whether the 
tree generated by the firing of an abstract transition may ’’close” itself. 

Definition 8 (Closable Abstract Transition). 

An abstract transition t is closable if there exists a firing sequence from Q{t) 
to T. Such a sequence is called a closing sequence of the abstract transition t. 

From this definition, it is clear that the branches opened in a firing sequence 
which can be closed in the same sequence, are those which are composed from a 
closable abstract transition. Moreover, using the sequence depth, we can char- 
acterize some minimal closing sequences. 
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Definition 9 (Minimal Closing Sequence). 

A closing sequence a of an abstract transition t is said minimal if for all 
closing sequence a' oft, we have Depth{a) < Depth{a'). 

For a given closable abstract transition t, we denote by Order{t) the depth 
of its minimal closing sequences. The next lemma exhibits a structural property 
of some minimal closing sequences. 

Lemma 10 (Existence of Particular Minimal Closing Sequences). 

Let t be an abstract closable transition, there exists a minimal closing se- 
quence a such that: If a' denotes the prefix of a where the last transition ( a final 
one) has been deleted then a' has no opened branches. 

Proof. Let us take a closing sequence. If there is an opened branch before the 
last firing, then we can delete the firing which opens this branch and all the 
subsequent firings in this branch. Indeed, the only node modified by the removing 
is the root node where all its marking after the opening of the branch are now 
increased with the input tokens of the abstract transition. Thus the new sequence 
is also firable. The new sequence has at most the same depth as the previous 
one. Iterating this removing on all the opened branches, we obtain the required 
minimal closing sequence. □ 



Lemma 11 (Branches Order). 

If there exists an abstract transition t G Tab such that Order ft) = n (with 
n > 1) then there exists an abstract transition t' such that Orderftf) = n — 1 

Proof. Let cr be a minimal closing sequence of t fulfilling the condition of lemma, fm 
and {tri, . . . ,trm} the extended markings of depth n reached by a. Let {Uj} be 
the transitions labeling the branches of tri. 

By the definition of a, we are ensured that Vj, j, Orderftij) < n—1. Moreover 
the condition of the lemma Dl ensures that all the branches are closed before 
the firing of the last transition (the final one) in the root. 

Suppose that \/i, j, Order (tij) < n — 1, then we can replace the sequence cr 
by a sequence a' where the firings in the branch which follow its creation are 
replaced by some minimal closing sequence of order < n — 1. This sequence a' 
has an order < n which contradicts the hypothesis of minimality of cr. □ 

The Algorithm 1,3.1 I comnuting the set of closable abstract transitions is based 
on the Lemma. rm From a given recursive Petri net, it returns the corresponding 
set of closable abstract transitions. 

Proposition 12 (Closable Abstract Transitions). 

The Algorithm, Vi. /I com.nutes exactly the set of closable abstract transitions of 
the net N . 

Proof. By definition, an abstract transition of order equal to 1 has an associated 
minimal closing sequence during which no branch is opened and then no abstract 
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Algorithm 3.1 Closable 

TransitionSet Closable(_RPA N) 
begin 

Net = N\{TabyjTfi\- 
Computed = 0 ; 

5/i = {m€lN^ \3teTfi,m>W-{»,t)}-, 
i = 0; 

do 

i = i + l- 
New = 0; 

forall t € Tab \ Computed do 

if ElemDecide{Net, n{t), Sfi) then 
New = New U {t}; 

Order(t) = i; 

fi 

od 

forall t £ New do 

teq = an elementary transition such that 

W-(»,teq) = W-(»,t) A W+i»,teq) = W+i»,ty, 
Net = Net U {teq}; 

od Computed = Computed U New; 
while {New 7 ^ 0 ); 
return Computed; 

end 



transition is fired. Hence, we have to decide if, for a given abstract transition t, 
a marking from which a final transition is Arable can be reached from 17(f). The 
set Sfi represents the semi- linear set of markings from which a final transition 
is Arable. The ordinary net Net is obtained removing all abstract and Anal 
transitions. A closable abstract transition of order equal to 1 is determined by 
deciding if there exists a marking of Sfi reachable in Net from 17(f). In ordinary 
Petri nets, the reachability of a semi-linear set reduces straightforwardly to the 
reachability of a Anite set of markings. The call ElemDecide{{Net, n{t), S fi) 
return true if the ordinary net Net can reach a least a marking of Sfi from 17(f) 
and false otherwise. 

As seen in the demonstration of the Lemma we know that the closable ab- 
stract transitions of order equal to n have an associated minimal closing sequence 
containing branches of order strictly less than n. Moreover, these branches are 
transient in the subsequence which precedes the Aring of the last transition. 
Moreover, only the marking of the root is relevant to reach Sfi. Then we can 
mimic the consequence at the root level of behavior of these branches by adding 
to the net, elementary transitions equivalent to the closable abstract transitions 
of order strictly less than n. A similar construction is used in Proposition El and 
explained there in more details. 
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Finally, as the number of abstract transitions is finite and each sucessfull 
round of the external loop picks at least a new one, the algorithm stops. □ 

For a given recursive Petri net N, we denote by Nord the ordinary net Net 
obtained at the termination of the Algorithm IS. IL 

3.3 Analysis of Sequences Structure 

We enumerate four propositions (one per category of branches) which are useful 
to reduce the problem of existence of a sequence to the existence of other (and 
simpler in some sense) sequences. 

Proposition 13 (Permanent Branch Condition). 

Let tr and tr' be two extended markings. Let Cb(tr,tr') be an admissible 
eombination of branehes and t an abstraet transition. There exists a sequenee a 
from tr to tr' which respects Cb{tr,tr') with a permanent branch Rt{bi,bj) iff 
3(j' , a" such that 



{M {vcftr)) , Branchftr) \ bi) (M{vo{tr')), Branch{tr') \ bj) A 

b^ b, 

Proof. The demonstration is essentially based on the semantics of recursive Petri 
nets. If the branch bi is permanent then the sequence a does not contain a firing 
of an abstract transition opening the branch and any firing of final transition 
in the root of the branch. Then, all the firings in the branch bi are independent 
from the ones outside of the branch. 

We construct a sequence a' by projecting a on the firings which do not 
concern bi and a sequence a" by projecting cr on the firings concerning the branch 
bi. Due to the fact that the firings inside bi are independent to the ones outside 
(from the semantics of recursive Petri nets), if tr is firable then the sequence 
a' .a" is also firable and leads from tr to tr' . 

Moreover, the sequence a" .o' has the same properties. 

Finally, it is clear that the existence of firing sequences cr' and a" is a sufficient 
condition for reaching tr' from tr via o' .a" . □ 

This proposition is illustrated in the Fig. 0 

Proposition 14 (Opened Branch Condition). 

Let tr and tr' be two extended markings. Let Cb(tr,tr') be an admissible 
combination of branches and t an abstract transition. There exists a sequence 
a from tr to tr' which respects Cb(tr,tr') with an opened branch i?t(T,5j) iff 
3a', a" such that 



tr (M(vo(tr')) + W (•, t), Branchftr') \ {bj}) A 
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Fig. 6. permanent branch 



Proof, t is the abstract transition which opens the branch bj . Let da be the part 
of a preceding the 6j-opening occurrence of t in cr and db the part of cr following 
this occurrence. We have d — da-t.db- 

The branch bj is a permanent branch of db- Applying the Proposition II ,'li we 
construct a sequence dbi by projecting db on the firings which do not concern 
the branch bj and a sequence db 2 by projecting db on the firings concerning bj. 

The sequence da.t.db\.db 2 is Arable. 

Due to the fact that the firing of t only consumes tokens in the root of the 
extended markings, the sequence da.dbi.t.db 2 is also Arable and leads from tr to 
tr' . 

Moreover, like the Aring of t leads to the opening of the branch (t, 17(f)) and 
the Arings in db 2 only concern bj, we have n{t)^PP^,bj. 

Since all the Arings in d which do not concern bj are in da.dbi, we have 
fr'^^^i(M(uo(fr')) + W~ {*,1), Branch{tr') \ {bj}). 

Finally, it is clear that the existence of Aring sequences cr' and cr" is a sufAcient 
condition for the reachability via cr'.t.cr" . □ 

This proposition is illustrated in the Fig. 0 

Proposition 15 (Closed Branch Condition). 

Let tr and tr' be two extended markings. Let Cb(tr,tr') be an admissible 
eombination of branehes and t an abstraet transition. There exists a sequence d 
from tr to tr' which respects Cb{tr,tr') with a closed branch Rt{bi,lf) ijf3d',d" 
such that 



bi^± A 

{M{vo(tr)) + W*"(*, t), Branchftr) \ {bi}) 7L_> tr' 

Proof. Lets td be the Anal transition closing the branch bi. Let da be the part 
of cr preceding the 6i-dosing occurrence of td in cr and db the part of cr following 
this occurrence. We have cr = da.td-crb- 
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Fig. 7. opened branch 



The branch bi is a permanent branch of a a- Applying the Proposition II dl 
we construct a sequence ctqi by projecting ctq on the firings which concern the 
branch bi and a sequence aa2 by projecting ab on the firings not concerning bi. 
The sequence <Jai-0'a2-tci-0'b is Arable. 

Due to the fact that the firing of td only produces tokens in the root of the 
extended markings, the sequence a'ai-tci-0'a2-0'b is also Arable and leads from tr 
to tr'. 

Because all the Arings in cr which do not concern bi are in < 7 a 2 -o'b, we have 
t), Branch{tr) \ {6i}). 

Finally, it is clear that the existence of Aring sequences o' and a" is a sufAcient 
condition for reachability via a' .u" . □ 

This proposition is illustrated in the Fig. 0 

Proposition 16 (Transient Branch Elimination). 

Let tr and tr' be two extended markings composed by only one node. There 
exists a a sequence from tr to tr' iff there is a sequence in the ordinary Petri 
net Nord leading from M(vo(tr)) to M{vo(tr')). 

Proof. Lets td be the Anal transition closing some transient branch bi of a opened 
by an abstract transition t. Let a a be the part of cr preceding the Aring of t, ab the 
part of a enclosed by the opening-Aring of t of the branch and the closing-Aring of 
td and ac be the part of a following the Aring of td- We have a — aa.t.ab.td-O'c- 
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Fig. 8 . closed branch 



The branch bi is a permanent branch of ab- Applying the Proposition II 31 we 
construct a sequence abi by projecting ab on the firings which do not concern 
the branch bi and a sequence ab2 by projecting ab on the firings concerning bi. 

The sequence aa-t.abi.ab2.tci-0'c is firable. 

Due to the fact the firing of t only consumes tokens in the root of the extended 
markings, the sequence aa.abi-t.ab2-tci-(^c is also firable and leads from tr to tr' . 

Because the sequence ab2 only concerns the branch bi opening by t, its firings 
do not have any effect on the nodes of extended marking reached by aa-abi- The 
modifications on these nodes done by the sequence t.ab2-tci concern only the 
root node and are the consuming of (•, t) tokens by t and the producing 
of tokens by td- So at the root level, the sequence t.ab2-tci can be 

simulated by t^q which belongs to Nord as t has a closing sequence. Iterating the 
substitution for all transient branches gives a sequence in Nord- 

Finally, it is clear that a sequence in Nord can be transformed in a sequence 
for N by substituting the firing of any teq by the firing of t followed by a closing 
sequence of t. □ 
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3.4 The Decision Procedure 

The Algorithm I3.2l is developed from the previous propositions. 



Algorithm 3.2 Decide 

Bool Decide(N,tr,tr') 

begin 

if (tr ==-L) then 
return tr' ==_L; 
if {tr' ==-L) then 
m = M{vo{tr))\ 
forall (t,tri) € Branch{tr) do 
if Decide{N ,tri, AS) then 
m = m + W'^{», t); 
fi 
od 

Sfi = {m € IN^ I 3t G Tfi,m > W-{»,t)}- 
return ElemDecide{NoTd,m, S fi)\ 

fi 

forall Cb{tr,tr') G C B{tr,tr') do 
// with Cb{tr,tr') = 

forall Rt{{t,tri), (t,trj)) do // permanent branch 
if -^Decide(N ,tri,trj) then 
goto NextCombination; 

fi 

od 

forall Rt{A-, (t,trj)) do // opened branch 
if -^Decide{N, 0{t),trj) then 
goto NextCombination; 

fi 

od 

forall Rt{{t,tri), 1.) do // closed branch 
if -^Decide{N,tri, -L) then 
goto NextCombination; 

fi 

od 

mi =M(«o(tr)) + X;H^(.,x) VV+{»,t); 
m2 = rno{tr') + J2R,(±,.) W~{»,t); 

if ElemDecide{Nord,mi,m 2 ) then 
return true; 
fi 

NextCombination: 

od 

return false; 

end 
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Theorem 17 (Reachability Problem). 

Let tr and tr' two extended markings of a reeursive Petri net N = (P, T, W ~ , 
IT'*", 17, tro) . tr' is reaehable from tr iff Decide{N^tr,tr') returns true. 

Proof. The demonstration is done recursively on depthftr) + depth(tr'). 

If depth(tr) — 0 then the algorithm returns true only if depthftr') = 0 and 
false otherwise. This statement is insured by the first test of the algorithm. 

We make the hypothesis that the algorithm for depthftr) + depthftr') < n is 
correct and demonstrate its correctness for depthftr) + depthftr') = n + 1. 

If depth{tr) 0 A depthftr') — 0, we have to decide if the system is able to 
fire a final transition at the root level. Or equivalently, if the root of tr is able 
to reach a state from which a final transition is Arable. The set Sfi represents 
this set of markings. 

If such a sequence exists, we can adapt the Lemma to it and then, there 
exists a minimal sequence having no opened branch. 

However, a branch opened in tr which can be closed from tr, can increase 
the number of token in the marking associated to vo(tr) by producing IT '*"(•, t) 
tokens (where t is the abstract transition associated to the branch). Due to the 
recurrence hypothesis, we can determine these particular branches by recursive 
calls to the procedure. 

Because, adding some tokens to a marking can only increase the number of 
sequences fired from it, we can arbitrary close these particular branches. The 
marking m corresponds to this statement. It is clear that the branches opened 
in tr which can not be closed have no effect on the marking associated to vg (tr) 
and then can be ignored. 

Finally, because the searched sequence can perform some transient branches 
and applying the Proposition ^3 decide if the system can reach a marking of 
Sfi from m is equivalent to decide if the ordinary net JVord is able to reach 
a marking of S/i from m. The demonstration of this point is related to the 
Proposition and the reachability problem for ordinary nets is known to be 
decidable ('| Mav8ipKos82ILam88| I. 

If depth(tr) 0 A depth(tr') yf 0 and because the number of combinations 
is finite, decide if there exists a firing sequence in N leading from tr to tr' is 
equivalent to decide if there exist a firing sequence a in N leading from tr to 
tr' and there exists an admissible combination Cb(tr,tr') such that a respects 
Cb(tr, tr'). 

The main loop of the algorithm corresponds to this statement. 

Then, to decide if there exists a sequence in N is equivalent to decide if there 
exists one showing some permanent, opened, closed and transient branches. The 
considered admissible combination Cb determines the permanent, opened and 
closed branches. 

The three internal loops correspond to the treatment of these kinds of branch. 

The demonstration of there correctness is directly related to the Proposi- 
tions El ^ and El and to the induction hypothesis. 

When all the permanent, opened and closed branches have been treated, the 
decision of the reachability can be restricted to a decision in an ordinary net. If 
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we consider that all the closed branches are effectivly closed, we have to reach 
the state from which all the opened branches can be opened. The markings mi 
and 7712 correspond to these two particular points of the sequence. Because, the 
sequence can perform some transient branches, the decision must be done for 
the ordinary net Nord (Proposition □ 

4 Conclusion 

In this work, we have studied theoretical features of recursive Petri nets. We have 
first shown that they are a strict extension of the model of Petri nets as they are 
able to recognize the palindrom language and that the languages of RPNs strictly 
include the union of Petri net and Context Free languages. Moroveover, we have 
illustrated their modelling capability by giving a simple method to model faults 
in a system whereas a similar modelling is not known to be possible for ordinary 
Petri nets. 

Then, we have proven that the reachability is decidable for RPNs and we 
have given an algorithm which reduces the problem to some (quite numerous !) 
applications of the decision procedure for the ordinary Petri nets. 

We plan to extend our studies in two different ways. On the one hand we 
want to add new features for recursive Petri nets and examine whether the reach- 
ability problem remains decidable. We are mainly interested to introduce some 
context when a thread is initiated (e.g. the starting marking could depend from 
the depth in the tree). On the other hand, we would study some more com- 
plex properties (like home state or properties specified by a temporal formula). 
Since the redaction of this paper, new results on RPNs have been stated. In 
particular, we have proven that RPN languages are recursive IHFhhhl and that 
any Turing machine can be simulated by synchronizing a RPN with a finite 
automaton EEMa. This last result has multiple consequences. One of them 
being that the emptiness of the intersection of a regular language and a RPN 
language is undecidable. Hence, it leaves little hope to general model checking 
as done in for Petri nets. However, this negative result does not preclude 

checking of particular properties (such as special kinds of fairness lYeny^l l and 
we are working in such a direction. 

At last, it would be interesting to combine this model with usual character- 
istics (such like the colours) in order to increase its application area. 
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Abstract. The paper deals with the computation of flows in coloured nets and 
with the potential reachability of markings over the integers in p/t nets. We 
introduce Aitin nets as a subclass of coloured nets, which can be handled by 
methods from Commutative Algebra. As a first result we develop an algorithm 
for the explicit computation of flows in Artin nets, which is supported by 
existing tools. Concerning reachability in p/t nets we prove a refined rank 
condition as a second result. 
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1 Introduction 

The present work deals with the following problems from Petri net theory: 

• Computation of flows in coloured nets. 

• Potential reachability resp. nonreachability of markings over Z in p/t systems. 

Our results are: 

• For a subclass of coloured nets (Artin nets) we develop an algorithm, which 
computes generators of the module of flows (Algorithm 5.2). This algorithm is 
supported by existing tools (Remark 5.3). Our results generalize in several aspects 
the results of Couvreur and Martinez about commutative nets ([CM1990]): The 
colour functions are not restricted to diagonalizable matrices (Definition 3.1) and 
we show, how to obtain a minimal set of generators of flows (Example 5.5). 

• For p/t systems we prove a refined rank condition for the incidence map, which 
characterizes potential reachability over Z (Theorem 6.4). This results provides a 
second criterion, complementary to the characterization by modulo-invariants 
given by Desel, Neuendorf wd Radola ([DNR1996]). The present formulation can 
serve as starting point for generalizing the criterion to Artin nets and other 
commutative nets. 
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We apply the following methods from Commutative Algebra: 

• Grohner theory for rings of polynomials. The present paper uses this method for 
the first time to solve Petri net problems. 

• Theory of modules over principal ideal domains. This theory has been applied to 
Petri nets already by Desel, Neuendorf and Radola. 

Both methods transcend Linear Algebra for vector spaces considerably. Although we 
often use terms, which probably are unfamiliar in the context of Petri nets, you will 
get concrete numerical results by the above methods and the supporting tools. Some 
proofs or remarks require non-standard prerequisites. They are typed in smaller fonts. 

Obviously every coloured net can be unfolded into an equivalent p/t net. But in our 
opinion the descent to low level nets can not qualify as the method of choice to 
answer high level questions. Therefore one has to leave the theory of vector spaces 
and has to apply more sophisticated methods from mathematics. We will use the 
concept of coloured nets from [Jen 1992]. 



2 Linear Problems in Coloured Homogeneous Nets 

Linear Algebra and Linear Programming theory are the mathematics of p/t nets. 
Matrix theory solves systems of linear equations over a field and determines e.g. the 
flows of p/t nets. Coloured nets are controlled by ground rings, which are more 
general than the field of rationals Q or the ring of integers Z. Their rings are not 
necessarily commutative and the colour modules can vary from place to place and 
from transition to transition. 

Currently there is no universal mathematical method, capable to analyze all kinds 
of coloured nets. The scope of each particular method restricts to subclasses. In the 
present chapter we choose the subclass of homogeneous nets as a suitable frame for 
fixing our algebraic notations. This class has been introduced by Couvreur and 
Martinez ([CM1990]). 

Petri net theory is intimately linked with non-negative coefficients. But in the 
present paper we will restrict to coarser structures with coefficients from a ring R: We 
do not consider bags but R-modules, replacing linear algebra over a field by the 
theory of modules over a ring. 

2.1 Remark (Notations from Algebra). Denote by R a ring. 

i) For an arbitrary set X we will denote by Xr the free R-module with base X 

Xr := { Sxex Ox x: nx e R and nx A 0 for at most finitely many x } . 

Elements of Xr are all finite weighted sums of elements from X with weights from R. 

ii) For two R-modules V, W we denote by 

HomR(V, W) := { f: V ^ W: f is R-linear } 
the set of morphisms between V and W. If V = W then we use the notation 
EndR(V) := HomR(V, V). 

The R-module HomR(V, R) =: V* is called the dual of V. 
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2.2 Deilnition (Homogeneous Net). A coloured net N = ( T, P, C, w"^, w“ ) with 
transitions T, places P, pre- resp. post-eonditions resp. w“ is called homogeneous, 
iff all places and transitions share a common colour set C. 

We stress, that we do not require the same token flow for all bindings of a given 
transition. Plain p/t nets are the special class of homogeneous nets with a single 
colour, i.e. C = { * }. Every homogeneous net shows up with an intrinsic algebra, 
much more specific than the ring of definition Z; Our approach studies linear 
questions therefore over the colour algebra of the net. 

2.3 Definition. (Colour Algebra of a Homogeneous Net) The incidence map of a 
homogeneous net N = ( T, P, C, w"^, w“ ) is the Z-bilinear map 

w:= 'N* - w"; Tz X Pz — ^ Endz(Cz). 

The local images 

w"^)!, p), w (t, p) G Endz(Cz), (t, p) e T x P, 
are called the colour functions of N; they generate the colour algebra 

Az := z [ w"^(t, p)(t,p)eTxP. W (t, p)(t,p)eTxP ]. 

which is an associative, but not necessarily commutative subalgebra of Endz(Cz). 

The following remark fixes our notation concerning the morphisms, which 
originate from the incidence map. 

2.4 Remark (Incidence Map of a Homogeneous Net). Denote by 
N = ( T, P, C, w"^, w“ ) a homogeneous net. 

i) We introduce 

• Ci(N) := Pz the Z-module of places and Co(N) := Tz the Z-module of transitions. 
Eor an arbitrary Z-module V we define the Z-modules 

• Ci(N, V) := Ci(N) ®z V, and C‘(N, V) = Homz( Cj(N), V ), i = 0, 1. 

The Z-modules 

Co(N, Cz) resp. C'(N, Cz) 

are called the module of steps with integer coefficients resp. the module of markings 
with integer coefficients. The general element 

"t = 2iteT It t ® bt G Co(N, Cz) 

is a linear combination of transitions t g T and corresponding bindings bt g C with 
integer coefficients it g Z. Similarly the general element 

|d = SpeP jj-p p* <8) Cp G C*(N, Cz) 

is a linear combination of the dual functionals p* g Homz(Pz, Z) and corresponding 
colours Cp G C with integer coefficients Pp g Z. 

ii) The incidence map is equivalent to each of the following two morphisms: 

wp: Ci(N) ^ C“(N, Az) s C“(N, Z) ®z Az, Wp(p) := t* ® w(t, p) 
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Wt: Co(N) ^ C‘(N, Az) s C‘(N, Z) ®z Az, Wt( 1) := Zp,p p* ® w(t, p). 

iii) By forming the tensor product with Az we extend also the domains of these maps 
to Az-modules. We obtain two morphisms of Az-modules 

Wp: Ci(N, Az) — > C°(N, Az), Wp(p <H) f) := Z,gT ( t* ® fow(p, t) ), p g P, f g Az 

Wt: Co(N, Az) — ^ C'(N, Az), Wp(t ® f) := Zp^p ( p* ® fow(p, t) ), t g T, f g Az, 

Obviously we can replace in both maps the subalgebra Az by the full algebra of 
endomorphisms Endz(Cz) and obtain morphisms between Endz(Cz)-modules. Eor 
these and other morphisms derived from the total incidence map we will always use 
the same notation Wp resp. Wt. 

The following Lemma 2.5 prepares the proof of Proposition 2.8. 

2.5 Lemma (Adjointness of the Incidence Maps). Denote by N = ( T, P, C, w^, w ) 

a homogeneous net. 

i) The canonical evaluation 

Endz(Cz) X Cz ^ Cz, (f, c) ^ f(c) 
induces two Z-bilinear maps, which are defined on generators as 

< , >p: Ci(N, Endz(Cz)) x C‘(N, Cz) ^ Cz, < p ® f, p >p := f ( )t(p) ) 

resp. < , >t: C°(N, Endz(Cz)) x Co(N, Cz) ^ Cz, < a, t ® b >t := a(t) (b). 

ii) With respect to these bilinear maps the incidence maps 

Wp: Ci(N, Endz(Cz)) ^ C°(N, Endz(Cz)), Wp(p ® f) := Z,eT ( t* ® fow(p, t) ) 

Wt: Co(N, Cz) ^ C‘(N, Cz), Wx(t ® b) := Zp^p p* ® w(t, p) (b) 
are adjoint, i.e. for all x g Ci(N, Endz(Cz)) and y g Cq(N, Cz) holds 
< X, Wt( y ) >p = < Wp( X ), y >T e Cz. 

A necessary criterion for an arbitrary marking mpost to be reachable in the Petri net 
(N, mpre) is the fact, that both markings satisfy the marking equation. Due to this 
linear inhomogeneous equation Petri net theory is the refinement of a linear theory. In 
general the refinement is strict: The fine structure of a Petri net is determined by a 
condition on positivity, which is required by the firing rule. 

2.6 Remark (Marking Equation). If the binding element (t, b) g T x C of a homo- 
geneous net N = ( T, P, C, w"^, w' ) occurs at the marking 

mp,e G C‘(N, Cz), 

then it creates the new marking mpost according to the marking equation 
mpost = mpre + Wt( t ® b ) G C‘(N, Cz). 

The statement generalizes from (t, b) to arbitrary Parikh vectors from Cq(N, Cz). 
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For coloured nets one usually considers flows with coefficients from the whole 
ring of endomorphisms. For the subclass of homogeneous nets it is helpful to focus on 
flows with coefficients from the colour algebra first, cf. Remark 3.7. 

2.7 Definition (Flows of a Homogeneous Net). For a homogeneous net 
N = ( T, P, C, w"^, w" ) with colour algebra Az we define the 

• Az-module of P-flows^ of N with coefficients from Az as 

Zi( N, Az ) := ker [ Wp: Ci( N, Az ) ^ C°( N, Az ) ] 

• and the Az-module of T-flows of N with coefficients from Az as 

Zo( N, Az ) := ker [ Wt: Co( N, Az ) ^ C'( N, Az ) ]. 

An analogous definition is obtained by replacing Az by Endz(Cz) or by the rational 
colour algebra 

Aq := Az ®z Q- 

P-flows induce a conserved sum of colours as follows at once from the adjointness 
of the two incidence maps. 

2.8 Proposition (P-Flows and Conservation Law). Let N = ( T, P, C, w^, w ) be a 

homogeneous net and consider a P-flow 

7t e Zi( N, Az) 

with coefficients from the colour algebra Az. Then for any two markings 

mpre, mpost with mpost e [mpre> 
holds the conservation law 

< 7t, mpoyt >p — ^ tt, mpj-g >p G Cz. 

Proof. We assume without loss of generality that the new marking mpost is created by 
the occurrence of a single binding (t, b) e T x C at the marking mp^. According to 
Lemma 2.5 and because Wp(7t) = 0 we have 

< 7t, mpost >p = < Jt, nipre + Wt( t <H) b ) >p = < 7t, mp^ >p -H < 7t, Wt( t <H) b ) >p= 

< Tt, mpre >p H-< Wp(7t), t ® b >T = < 7t, mpre >p, QED. 



3 Artin Nets 

Artin nets make a first step from p/t nets to a non-trivial class of coloured nets, 
which can be accessed by mathematical methods. We generalize the concept of 
commutative nets of Couvreur and Martinez ([CM1990]). Then we define Artin nets 



’ Some authors prefer the name P-invariant, while others like [Jenl992] introduce the notation P-flow 
and distinguish between flows and invariants. We follow the convention of [Jenl992]. 
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as commutative nets with rational coefficients. In addition to a series of example from 
[CM 1990] also the coloured net of the „dining philosophers" is an Artin net. 

3.1 Definition (Commutative Net, Artin Net). A homogeneous net 
N = ( T, P, C, w"^, w" ) is called commutative, iff its colour algebra 

Az := z [ w"^(t, p)(t,p)eTxP. W (t. P)(t,p)eTxP ] 

is commutative. For a commutative net we extend the ring Z to its field of quotients Q 
and obtain the concept of an Artin net with rational colour algebra 

Ag := Az ®Z Q= Q[ W^(t, p)(t,p)eTxP. W (t, p)(t,p)eTxP ]■ 

We do not require the colour functions w'^(t, p), w'(t, p) to be diagonalizable. 
Commutative nets in the sense of [CM 1990] are also commutative in the sense of 
Definition 3.1. They have the additional property, that their colour algebra is reduced. 

Throughout the whole paper we illustrate our definitions and results about Artin 
nets by a fixed example from [CM 1990]: 

3.2 Example (Commutative Net of Clock Synchronization). Fig.l shows the net 
from [CM1990], Section 5.2, which models the synchronization of clocks connected 
to a virtual ring. The commutative net N = ( T, P, C, w"^, w“ ) has 

• transitions T = ( ti, t 2 }, places P = ( pi,..,p 4 }, 

• colour set C = Ci x C 2 , Ci := Z/UjZ, Ui g N*, i = 1, 2, 

• colour algebra Az = Z [ shi, sh 2 ] with the endomorphisms 

shi = |Ti <8) 1 resp. sh 2 = 1 <8) |J ,2 ^ Endz(Cz), Cz = Ci,z ®z C 2 ,z. 
induced from the shift maps of the colour components 
Pi! Z/pZ — ^ Z/pZ, X h- > X + 1, i = 1,2, 

• and incidence matrix 

M(wp)=f "^2 -1 -1 m(2x 4, Az). 

^-1 1 sh, 0 ) 

The colours from Ci represent the stations, while the elements from C 2 are considered 
as clocks. 

One of the main results of this paper is an algorithm, which computes the kernel of 
the incidence map of an Artin net. We want to stress, that the matrix M(Wp) is not of 
the usual type with entries from Q or Z. Note, that each entry is an endomorphism 
itself. On a more general level we are faced with the following situation: 
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sh2 

Fig.l. Commutative net of clock synchronization 



3.3 Remark (Kernel of a Morphism between A-Modules). Consider a field K and a 
K-algebra A like the colour algebra of an Artin net. How to compute the kernel of a 
morphism f: Y —>W between two A-modules V and W? We proceed in two steps: 

• We lift the problem from the ring A to a ring of polynomials. 

• We apply Grobner theory over the ring of polynomials. 

The second step will be treated in Chapter 4. The first is achieved by the minimal 
polynomials of the colour functions. 

3.4 Remark (From Endomorphisms to Polynomials), i) Every endomorphism 
f G Endg(Cg) of a finite dimensional g-vector space Cg has a unique minimal 
polynomial Pf g g [ t ] . It is defined as the monic polynomial, such that 

e[t]/<Pf>se[f], [t]^f, 

i.e. such that the rational matrix algebra which is generated by f, equals the 

quotient of the ring Q{i^ of polynomials in one indeterminate divided by the ideal 
< Pf >, which is generated by Pf. 

ii) Analogously the rational matrix algebra Ag, which is the adjunction of finitely 
many colour functions, has the form 

Ag S Q [ ti,...,tni ] / I, 

i.e. Ag equals the quotient of a ring Q [ ti,...,tni ] of polynomials divided by a suitable 
ideal I c g [ ti,...,tm ] of polynomials. 

hi) The rational colour algebra Ag of an Artin net is a rational Artin algebra, i.e. it has 
finite dimension as vector space over Q. 
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3.5 Example (Colour Algebra of the Clock Synchronization). We continue with 
the Artin net N from Example 3.2. It has two non-trivial colour functions 
shjG Endz(Cz). Over Q their minimal polynomials are 

Pj(t)= t"J - le e[t],j = l,2. 

The rational colour algebra has the form 



Aq = Q[ Shi, Sh2 ] S e [ ti, t2 ] / < ti"‘ - 1, t2"^ - 1 >. 

It is reduced, i.e. there are no non-zero elements f g Aq with f " = 0 for suitable 
n G A. Each minimal polynomial factors as 

Pj(t) = (t - 1) "j'f . 

i=0 

The annihilator ideal of ( shj - l) inQ [ shi, sh 2 ] is generated by 

n j-l 

Sj :=(l/nj)y sh; e Ag, i.e. 

i = 0 



ann ( shj - 1 ) := < x g Aq: x (shj - 1) = 0 > = < Sj >, j = 1,2. 

One defines the n-th cyclotomic polynomial 

®n(t) := rio<k<n (t - C), ne N and ^ g C a primitive n-th root of unity. 

All cyclotomic polynomials are defined over Z and are irreducible over Q. The factorization 

t‘'-i = nd|„Od(t) 

is a complete split of the left side into a product of irreducible polynomials. 

This factorization on the level of polynomials induces a corresponding 
factorization of the colour algebra. Artin factorization over a field is the key method 
to reduce linear questions about Artin nets to analogous questions about p/t nets. Eor 
an application we refer to Example 5.5. 

3.6 Lemma (Artin Factorization). Denote by K a field. Every Artin K-algebra R 
factors into a finite product 

R = filial k Ri 

of local Artin K-Algebras Rj (Artin factors), i = l,...,k. Eor reduced R every factor 

Ri, i = l,...,k 

is an extension field of finite degree over the ground field K. 

For the concept of a local ring and for the proof cf. [AM1969], Theorem 8.7 resp. 
[Vasl998], Theorem A.1.4. 

Eor a reduced colour algebra the module of flows with coefficients from the full 
ring of endomorphisms is already determined by the flows with coefficients from the 
colour algebra. 
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3.7 Remark (Ring Extension). Denote by N = ( T, P, C, w"^, w ) a commutative net. 
If the rational colour algebra Aq is reduced, then the natural map 

Zi(N, Aq) 0 Ende(Ce) ^ Z,(N, EndgCCe)), i = 1,2, 

is an isomorphism, i.e. we obtain generators of the flows Zj(N, Endg(Cg)) from the 
generators of Zi(N, Ag) by tensoring with endomorphisms. 

Proof. By Lemma 3.6 the reduced colour algebra Ag is a product of fields, hence semisimple. 
Every module over a semisimple commutative ring is fiat, cf. [Boul972], §2, n“. 4. Hence the 
torsion product vanishes 

Torj^e ( -, Endg(Ce) ) = 0, QED. 



4 Grobner Theory 

The rational colour algebra of an Artin net is a quotient of a ring R of polynomials 
with rational coefficients. Explicit calculations with free R-modules of finite rank are 
achieved by Grobner bases. They reduce statements about polynomials to explicit 
calculations with monomials. The present chapter gives a short introduction to 
commutative Grobner theory. The results will be applied to Petri net theory in 
Chapter 5. Eor the sake of simplicity we give the following results only for the ring 
R = 2 [ X, Y ] of polynomials with 2 indeterminates. But all results hold literally for 
an arbitrary finite number of indeterminates. 

4.1 Definition (Polynomials and Their Leading Terms), i) On the set of terms of R 
we choose the homogeneous-lexicographic order: Two terms 

Ti=X">Y“' andT 2 =X"^Y“^ g R satisfy Ti > Tz 

iff either deg Ti := Ui + mi > deg Tz or deg Ti = deg Tz and (ui, mi) > (uz, mz) with 
respect to the lexicographic order of N^. 

ii) With respect to the homogeneous-lexicographic order all terms of a given 
polynomial 

f= ^c„ „,X"Y”g R,c„,„,g e, 

(n,m)eA'^ 

can be arranged uniquely in decreasing order. Eor f 0 the highest term is called the 
leading term LT(f), its coefficient the leading coejficient LC(f) of f. 

iii) The S-polynomial of two elements 0 f, g g R is defined as the polynomial 

S(f.g):= LC(g) to^LKfl.LTCg)) ^ ^ 

LT(f) LT(g) 



with lcm( LT(f), LT(g) ) g R the least common multiple of the leading terms of f 
and g. 
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As a generalization of the Euclidean algorithm we have for multivariate 
polynomials: 

4.2 Lemma (Reduction of a Polynomial). For a given polynomial f and a given set 
G = { gi,...,gn } of polynomials there exists a representation 

f = 21i=i n f. g, + r 

with polynomials fi,...,fn, r g R, such that 

• LT(f) > max { LT(f, g,): i = l,...,n ) 

• and no term of r belongs to the ideal < LT(gi),...,LT(gn) >. 

The polynomial r g R, the reduction off modulo G, can he computed with a division 
algorithm. 

4.3 Definition (Grobner Base). A subset G = { gi,...,gn } of an ideal I c R is called a 
Grobner base of I, iff the leading terms LT(gi),...,LT(gn) generate the leading ideal 
of I 



LT(I) := < LT(f): f g I \ { 0 } >, 

which is generated by the leading terms of all non-zero elements from I. 

4.4 Proposition (Grobner Base), i) A Grobner base of an ideal generates the ideal, 
ii) (Buchberger) For a system of generators G of an ideal I c R holds the equivalence: 

• G is a Grobner base of I. 

• The reduction modulo G of all S-polynomials of elements from G vanish. 

• Every element from R has a unique reduction modulo G. 

The standard algorithm for the computation of Grobner bases is due to Buchberger. 



4.5 Buchberger Algorithm 

Input: Ideal I = < fi,...,fn > c R. Output: Grobner base G = { gi,...,gm } off. 



G = { fi,...,f„ } 


B = { { fi, fj I : i < j } as a set of unordered pairs 


While B A 0 




Choose { f, g } G B 


B = B\!f,g} 


Determine a reduction r g R of S(f, g) modulo G 


IfrAOthensetB = Bu { {r, h}: h g G ) and G = G U { r ) 


G is a Grobner base of I. 



Table 1. Buchberger algorithm 



4.6 Example (Grobner Base). Following Algorithm 4.5 one computes for the ideal 
I = < XY + YS c R 
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the Grobner base 

G = { X^ XY + Y^ Y^ }. 

In order to compute the kernel of a linear map we will choose suitable generators 
of its image and calculate the „syzygies“ of these generators. If the generators form a 
Grobner base, then the syzygies can be read off from their S-poIynomials. This is the 
great advantage of Grobner bases in the present context. 

4.7 DeHnition (Syzygies). A syzygy of a finite family F = { fi,...,f„ } of elements from 
R is a tuple 

T = ( ai,...,a„ ) of elements from R with Zi=i,...,n aj fi = 0 
The syzygies of F = { fi,...,fn } form the kernel of the R-linear map 
f: R" — ^ R with matrix M(f) = ( fi,...,fn ). 

Therefore ker f is called the module of syzygies of F. 

4.8 Lemma. (Syzygies of a Grobner Base, Schreyer). Denote by G = { gi,...,gn } a 
Grobner base of the ideal I c R with S-polynomials 

S(gi, gj) = aji gi - aij gj = h\ gk, 1 < i < j < n, a^, h\ g R. 

The R-module of syzygies of G is generated by the elements 

Tij := aji Ci - aij Cj - 2ik=i,...,nh\ e^ g R", 1 < i < j < n, 
where (ek)k=i,...,n denotes the canonical base of the R-module R". 

4.9 Remark (Generalization to Submodules). In the general case it is not sufficient 
to develop Grobner theory only for ideals I <z R. It is possible to replace the ideal by a 
submodule M c F of a free R-module F of finite rank. Then one considers Grobner 
bases of M with respect to a suitable term ordering. All statements hold analogously 
for this more general situation, cf. [CL01998]. 



5 Flows in Artin Nets 

In the present chapter we apply Grobner theory from Chapter 4 to Petri nets. 
Analogously to the computation in p/t nets achieved by matrix theory we use Grobner 
bases to compute the kernel of the incidence map of Artin nets. We denote by 
R = 6 [ ] the ring of polynomials in m indeterminates with rational 

coefficients. 

The following proposition compares the kernel of a linear map such as the 
incidence matrix with another linear map, which describes the lift to a ring of 
polynomials. The proposition is fundamental for the explicit computation of flows. 
We prove it for the general submodule case. 
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5.1 Proposition (Morphisms over Factor Rings). Consider a factor ring 

A := R / < hi,...,hp > 

with respect to an ideal generated by a family (hi)i=i_ _p of polynomials and denote by 
7t: R — ^ A the residue map. In order to compute the kernel of a morphism 

fA: A"' ^ 

between free A-modules of finite rank, one first chooses a matrix 



(f,j) G M( n2 X ni, R), 

such that fA is represented by the residue classes 

( 7t(f,j) ) G M( nz X ni, A), 
and then one considers the extended matrix 



f = 



G M(ii2 X (n^ + pn 2), R) 



fii fi„, H 

f„,i - f„,„, H 

H = (hi... hp)G M(lxp,R), 
which represents a morphism 

R"1 © RP"2 ^ R"2 

Now the first ni components of a system of generators for 

kerf (Z R"‘ © R^"^ 

are mapped by the residue map onto a system of generators of ker fA cz A"‘ . 
Proof. The following diagram commutes by construction 



n, tR--(tlj) 

7t] i 



R "2 

f 71 2 



with 7ti := TC®"‘ , i = 1, 2, induced from the residue map. For the general element 
7ti(x) G A"‘ holds: 

fA( Jti(x) ) = 0 7t2( fR(x) ) = 0 fR(x) G < hi,...,hp > R"2 



fR(x) G 



y I 

y pn, 



for suitable yiv.ypnj ^ 



( x, - y)® G ker 



f, 



f,„ H 



>f„i - f„ 

V "2* 



for suitable y e , QED. 
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Now we are ready for explicit computations. We apply the results from Chapter 3 
and 4 in the submodule case. 

5.2 Algorithm (Computation of P-Flows). Consider an Artin net 
N = ( T, P, C, w"^, w“ ) with rational colour algebra Ag. 

Input. Incidence matrix 

Wp: Ag"' > Ag"^ of N, ni = card P, n 2 = card T. 

Output. System of generators of Zi(N, Ag). 



Remark 3.4; Represent the rational colour algebra 

Ag = R / < hi,...,hp > 

as quotient of a ring of polynomials R = 2 [ ti,...,tm ]■ 

Proposition 5.1: Lift Wp to a matrix (Wy): R"‘ >R"^ and introduce the extended 



Wii ... Wi H 



incidence matrix w := ... 



e M(n 2 X k, R) 



with k := ni + pn 2 , H = (hi...hp) e M(1 x p, R). 

Algorithm 4.5: Determine a Grobner base G = { gi,...,gs } of the submodule of R"^ , 
which is generated by the columns (Wi)i=i ^ of w , together with a matrix 
Awg G M( k X s, R ) with 

( gl-gs ) = ( Wi...Wk ) Awg. 

Lemma 4.8; Determine a system of generators Xy of the syzygies of the Grobner 
base G and define the column matrix 

T := (Xij) G M( s X q, R ), 

q cardinality of the system of generators. 

Lemma 4.2: Determine a matrix Ag* g M( s x k, R ) with 

( Wi...Wk) = (gi...gs) Agw 

by computing the reduction modulo G of the elements Wj g R"^ , i = l,...,k. 

Proposition 5.1; The residue classes in Ag of the first ni components of the columns 
of the matrix 



( 1 - AwgAgw, AwgT ) G M( k X (k+q), R ) 



generate Zi(N, Ag). 



Table 2. Algorithm for the computation of generators of Zi(N, Ag) 

The complexity of Algorithm 5.2 has to take into account the size of the net as well 
as the degrees and the cardinality of a set of polynomials (hi)i=i p, which generate the 






Petri Net Theory - Problems Solved by Commutative Algebra 261 



defining ideal of the colour algebra. For complexity results from Grobner theory cf. 
[BWK1998], Appendix. 

5.3 Remark (Tool Support). The tool Macaulay 2 ([GS1996]) supports all steps 
from Algorithm 5.2. It works for submodules over rings of polynomials with an 
arbitrary finite number of indeterminates. A single command calculates a system of 
generators of flows. Moreover the tool serves as a useful help to study fundamental 
issues of Commutative Algebra. 

5.4 Example (P-Flows of Clock Synchronization). The Artin net from Example 3.2 
has the rational colour algebra 



Aq = Q[ shi, shz ] s g [ ti, t 2 ] / < ti”‘ - 1, 12 "' - 1 > , 



cf. Example 3.5. According to Algorithm 5.2 the kernel of the incidence map Wp can 
be computed by lifting the map Wp to a map Wp_p over the ring of polynomials 
R = 6 [ tuC ]■ In the next step one has to determine the kernel of the extended matrix 




V 



-1 -1 
1 ti 



tj -1 ti"‘ -1 tj"' -1 
0 0 0 
G M ( 2 X 8, R ) 



0 

ti”‘ -1 



and to project the generators onto Zi(N, Ag) under the residue map R — ^ Ag. Eor this 
purpose one uses Grobner theory. The program Macaulay 2, cf Remark 5.3, 
computes the result for different values of ni resp. U 2 . We obtain with respect to the 
canonical base 

(P,)i=i,...,4 ofAg"sCi(N, Ag) 



Zi(N, Ag) = 



' 1 ^ 

1 


, Jt2 = 


^ 1 - sb, ^ 

1 - sb , sb 2 


, Jt3 = 


^ 0 ^ 

S, 


, 714 — 


S 2 


0 




sb 2 - 1 
0 2 




-S, 

1 0 J 




0 

V 0 , 



Note: The first two syzygies generate the kernel of the lifted morphism 

Wp p! R — > R . 

The generators from [CM1990], Section 5.2, are: 

Zi(N, Ag) = 



span Ag 





' 0 ' 




' 0 ' 




Af 




' 0 


<Tl = 


0 


, l2 = 


-S. 


,I3 = 


-1 


,I4 = 


- (sbj - 1) sbj 




0 




S, 




0 




sbj - 1 








1 0 J 




,1, 




, -(shj-1) ^ 



>. 
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Both sets of generators transform into each other: 

r-s, 0 0 r 

= B 71 2 with B = 0 0 - 1 0 e GL( 4 X 4, Ag). 

jt 3 — 1 0 0 0 

[ -I 1 0 0^ 

Note: Si shi = Si, because Si (shi - 1) = 0. For an interpretation of the generating 
P-flows in terms of the original clock synchronization cf. [CM1990], Section 5.2. 

5.5 Example (Minimal Set of Generators). We continue with Example 3.2. In 
general neither Algorithm 4.3 from [CM1990] nor Algorithm 5.2, which is based on 
Grobner theory, produces a minimal set of generators of P-flows. Both algorithms 
produce a family of 4 generators, but 3 generators are already sufficient. 

i) To obtain a minimal system of generators we use the Artin factorization of the 
colour algebra according to Lemma 3.6. Recall from Example 3.5 the factorization 

f'-l=rid|n®d(t). 

The local factors of the colour algebra 

Ag = g [ shi, shz ] s g [ ti, t 2 ] / < ti"‘ - 1, 12 "" - 1 > 
correspond bijectively to the maximal ideals of Ag, which form the set 
Specm Ag = { := < (O- (G) >: dj | n j for j = 1, 2 } . 

If we denote a primitive d-th root of unity by 

27T:i 

:= e^ G C, dG N, 

then the maximal ideal dj ^ Specm Ag determines the local factor 

k(»*d.,d3 ) = 6( Cd.. Cd, )• 

ii) Table 3 shows for every local factor the corresponding component of the incidence 
map, its kernel dimension and the local values of the four generators 
JtjG Zi(N,Ag),j = l,...,4. 

In general the kernel of the incidence map Wp(m) has two generators, only the 
distinguished point mi 1 needs three generators. We get: 

' sh 

, 7 C 3 - Jt 2 = S 1 + sh 
-Si - 



1 - 1 

ish 2 - 1 

sh 2 + 1 
0 
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7I4 - %2 



S 2 + sh [ — 1 
S 2 + sh [ sh 2 — 
1 — sh 2 
0 



>, 



































R 

R 

R 












R 

R 




























































FR 1 













































Table 3. Localization at the Artin factors of Aq 



because for every maximal ideal m e Specm Aq 

ker wp(m) = span < Jti(m), (7:3 - TC2) (m), (714 - 7I2) (m) >. 

In order to confirm this result, one can check by some cumbersome computations: 
Jt2 = [ Si ( 1 - S2 ) ( Shj"^-' - 1 ) + Si - 1 ] ( 7t3 - 7t2 ) 



Jt3 = ( 7t3 - 7t2 ) + 7t2 = Si [ 1 + ( 1 - S2 ) ( Shj"^'' - 1 ) ] ( 7t3 - 7t2 ) 



n2~l 



7C4 = ( 7t4 - 7I2) + 712 = ( 7t4 - 712) + [ Si ( 1 - S2) ( shj 



- 1) + Sl- 1] (7t3-7t2). 
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6 Potential Reachability of Markings 



Up to now we have studied the kernel of the incidence map, i.e. we computed the 
flows of a net. In the present chapter we focus on the image of the incidence map, i.e. 
we compute the potentially reachable markings. Currently this problem has only been 
solved for p/t nets. The marking equation of a p/t net N with incidence map 

Wt: Co(N) ^ C'(N, Z) 

is the linear equation 

mpost = mpre + Wt(t), 

cf. Remark 2.6 The problem of potential reachability asks for a solution of the 
corresponding inhomogenous linear equation. Over a field the problem is solved by 
Linear Algebra: One has to compare the rank of Wt with the rank of the extended 
matrix, which is bordered by the additional column mpost - mp^. In the next step one 
replaces the field by a ring from the more general class of principal ideal domains 
such as Z: 

6.1 Definition (Principal Ideal Domain). A ring R is called principal ideal domain 
iff it has no zero-divisors and every ideal is generated by a single element. 

For a principal ideal domain one has to consider also the minors of maximal rank. 

6.2 Proposition (Inhomogeneous Linear Equations over a Principal Ideal 
Domain). Denote by A a principal ideal domain and consider a morphism 

f: W 

between free A-modules of finite rank. For a given element Wq e W we have the 
equivalence: 

Wo e im f 

rank f = rank (f, Wq) =: r and < minors (r, f) > = < minors (r, (f, Wq)) >. 

Here we have used the notation < minors (r, B) > for the ideal of A generated by all 
minors of rank r of a given matrix B. 

The proof makes use of the basic result about modules over principal ideal 
domains, ([Boul981], §4, N“ 3, Theoreme 1): 

6.3 Theorem (Modules over a Principal Ideal Domain). Denote by A a principal 
ideal domain and consider a pair M c F of A-modules. If F is free and M finitely 
generated, then 

• M is free. 

• There exist non-zero elements 

tti G A, i = l,...,r := rank (M), with | tti+i for i = l,...,r-l. 
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and a basis (ei)iei of F with a subfamily (ei)i=i_ such that the family (ai ei)i=i,...,r is 
a basis of M. 

• The sequence of ideals < >i=i,,,,,r (invariants of M relative F) and the module 

spauA< Ci : i = l,...,r > are uniquely determined. 



Proof of Proposition 6.2. Set n := rank V and m := rank W. The statement of the 
proposition is independent from the choice of bases. We apply Theorem 6.3. After 
choosing suitable A-bases of V resp. W we can assume, that f has the matrix 



M(f) = 



G M(m X n, A), r = rank f, 



with invariants < ai >i=i r of f(V) relative W. Set 

Wo= (wi...wj'^G A”. 

The rank condition rank f = rank (f, Wq) means, that the extended matrix (f, Wq) has no 
nonzero minor of rank r+ 1 , which can easily be seen to be equivalent to 
• Wi = 0 for i = r+l,...,m. 

The second condition 

< minors (r, f) > = < minors (r, (f, Wq)) > 



means 



< ai 0 . 2 ... ttr > =)< ai a 2 ... aM d; w, ai+i... a,: i = l,...,r >, 



(here d; denotes deletion of ai) 

• i.e. Wi G < > for i = l,...,r. 

On the other hand, the existence of a vector v = (vi...Vn)^ g A" with f(v) = Wq means 

• «i Vi = Wi for i = l,...,r and Wi = 0 for i = r+l,...,m. 

Obviously both sets of conditions are identical, QED. 

For a different proof of Proposition 6.2 cf. [Boul981], §4, exercice 18. 

6.4 Theorem (Potential Reachability in p/t Systems). A given marking mi is 
potentially reachable over Z in the p/t system (N, mo) with incidence map w iff for 
m := mpost - mpre holds 

rank w = rank ( w, m ) =: r 

and < minors (r, w) > = < minors (r, (w, m)) >. 

Proof. The theorem is a special case of Proposition 6.2, QED. 

In [DNR1996], Theorem 5.2, the authors prove an analogous criterion for potential 
reachability of markings over Z. They start from duality theory for vector spaces: The 
image of a morphism is characterized by the kernel of the dual map. Eor p/t systems 
the kernel of the dual map is the space of P-flows. Their generalization over Z 
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considers modulo-invariants, which check the dual problem over certain primes. Of 
course also the method from [DNR1996] relies on Theorem 6.3. 

6.5 Example (Nonreachability of a Marking in a p/t Nets). Fig. 1 in [DNR1996] 
shows a particular Petri net (N, mpre). The authors construct a distinguished 
marking mpost, which satisfies the marking equation over Q. Nevertheless, using 
modulo-invariants they prove that mpost is not reachable over Z. 

Without using modulo-invariants the same result can be obtained from Theo- 
rem 6.4: One computes by hand or e.g. by Macaulay 2: 

• rank w = rank (w, mpost - nipre) = 4, 

• but < minors {A, ^n) > = <2 > ^ < minors (4, (w, mpost - nipre)) > = <!>. 



7 Outlook and Future Work 

In the present paper we have focused on the rational colour algebra of a 
commutative net. If we multiply a flow with coefficients from Aq with a common 
denominator of all its components, then we obtain a flow with coefficients from Az. 
Concerning the question of reachability the situation is quite different: Proving 
potential reachability of markings over Z is much more difficult than over Q. The 
generalization of Theorem 6.4 to the class of commutative nets will be the subject of 
further work. 

Commutative nets require the commutativity of the colour functions. They form a 
subclass of homogenous nets, which is computable with Commutative Algebra. From 
the point of view of general coloured nets this condition is rather restrictive. The next 
generalization weakens this condition and considers homogeneous nets with a 
solvable colour algebra. Accordingly one has to generalize the ring of polynomials 
before applying non-commutative Grobner theory. For the latest account on Grobner 
theory cf. [BW1998] and [BWK1998]. 

After leaving the domain of linear equations one enters into the realm of linear 
inequalities. Here one has to introduce a concept of positivity for homogeneous nets 
e.g., which is indispensable for the token game on any kind of Petri net. 
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Abstract. The 10th Hilbert problem is used as a test for undecidabil- 
ity of reachability problem in some classes of Petri Nets, such as self- 
modifying nets, nets with priorities and nets with inhibitor arcs. Common 
method is proposed in which implementing in a weak sense the multi- 
plication in a given class of Petri nets including PT-nets is sufficient for 
such undecidability. 



Place-transition nets (PT-nets) are considered “the” Petri nets and, when 
talking about Petri nets without adjectives, one usually means just this class 
of nets. The decidability of the reachability problem for Petri nets was proved 
by Mayr and Kosaraju at the beginning of 80’s The 

decidability result was difficult to prove and was obtained after years of attacking 
this problem. It became clear that the decidability of reachability holds for PT- 
nets “on the edge”, so it is very probable that when we extend the class of 
PT-nets by some facilities, we can improve the expressive power of the nets, but 
the decidability of the reachability problem may be lost. 

The expressive power of PT-nets turned out to be too small for many prac- 
tical purposes. In order to model some phenomena inexpressible in the PT-nets 
framework, many extensions of PT-nets were proposed. Among them we con- 
sider nets with inhibitor arcs, nets with priorities, nets with reset transitions, 
self-modifying nets and many others. The reachability problem in all the above 
mentioned classes is undecidable. 

When we come to the idea to extend the class of PT-nets, we should consider 
the decidability of the reachability problem, because if it turns out to be unde- 
cidable, the computer-aided analysis of the net behaviour becomes questionable. 
At least, when the so-called safety properties are considered, they require as- 
surance that no “bad” marking occurs. And when one cannot decide if a given 
marking is reachable, the possibilities to answer this question are limited. 

There are many methods to prove undecidability of the reachability problem. 
The reduction of known undecidability results in automata theory or logics is a 
common tool. In this paper a reduction of the lOth Hilbert problem is presented. 

The 10th Hilbert problem has been used first probably in to show 

some undecidabilities (for instance the problem whether the reachability sets of 
two given nets are equal) . He observed, that one can almost model multiplication 
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by a Petri net in the following sense. A net exists with three places pi, p 2 and 
P 3 such that if pi and p 2 possess x and y tokens respectively, and no tokens are 
present on the other places of the net at the initial marking, then for all firing 
sequences, when a marking is reached in which all the places, except for p^, have 
no tokens, then no more than xy tokens are on p^, and, moreover, there exists a 
firing sequence such exactly xy tokens are on p^. 

This was close to a proof of an undecidability of the reachability problem. 
The missing touch was the absence of an example of a net, in which exactly xy 
tokens would occur on p^ in every reachable marking, which empties the other 
places. This was, as we know now, impossible. Such net does not exist. The 
reachability problem is decidable for PT-nets. 

However, when talking about various extensions of PT-nets, we can come 
back to this idea. The paper presents a result, which will allow us to check, 
whether the reachability problem is undecidable in some classes of Petri nets. 
A sufficient condition for undecidability is somewhat dual to the condition pre- 
sented above. We will require that no less than xy tokens will be reached on p^, 
and xy tokens are also reachable for some reachable marking. 

Some examples will be presented to illustrate the applicability of the 10th 
Hibert problem to undecidability of the reachability problem. The paper has 
some didactic value also, since the formulation (not the proof!) of the 10th 
Hilbert problem is elementary, and a formulation of the undecidability result in 
terms of a token game is appealing. 



1 Definitions 

We adopt a standard notation for PT nets. 

A PT net is a four-tuple N = {P, T, Pre, Post) where P and T are disjoint 
and nonempty sets of places and transitions with |P|, |T| G 2“''. The incidence 
functions Pre and Post map (P x T) into IN . Nets can be seen, and drawn as 
weighted bipartite graphs, where elements of P are denoted by circles, while the 
elements of T — by bars. 

A function M : P ^ IN is called a marking. If M{p) = 0 for each p, then 
M is called a zero marking. Markings are represented in vector form. A PT 
system is a tuple (N, Mq) where is a PT net and Mq is the initial marking. 
A transition t is enabled at M iff for every p G *t : M{p) > Pre{p,t)- If t is 
enabled at M, then t may fire yielding a new marking M' given by M'{p) = 
M (p) — Pre{p, t) + Post{p, t) for each p. The fact that the firing of t changes the 
marking M into the marking M' is denoted by M\t)M' . Also M[f) denotes the 
marking into which M is transformed by the firing of t. A firing sequence from 
M is a sequence a = tit 2 ■■ - U G T* such that M[ti)Mi[t 2 )M 2 . . . Mr-i[tr)Mr 
for some Mi, . . . , Mr. The set of firing sequences (the language) is denoted by £ 
and the reachability set of {N, Mq) is R= {Mo[a) \ a G £}. 

The reachability problem is for a given net system (N, Mq) and a marking 
M, to decide whether M is in the reachability set of {N, Mq). 
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Since PT-nets are often too weak for some purposes, many extensions of PT- 
nets were proposed. Assume for the rest of the paper that all the classes of Petri 
nets considered in this paper contain PT-nets as special cases. In the definitions 
that follow, we will present several useful extensions of PT-nets. 

Definition 1.1. A net with priorities is a 5-tuple 

Np = (P, T, Pre, Post, Priority), 

where the sets P,T, Pre, Post are defined as previously, and Priority : IN 

is a function assigning a priority to every transition. In case of a conflict between 
transitions t , . . . , t , only a transition with highest priority is enabled and may 
fire (in case there is more than one transition with highest priority, all of them 
are enabled, and the conflict is being resolved in a standard way). 

Definition 1.2. A net with inhibitor arcs is a 5-tuple 

Nj = (P, T, Pre, Post, Inh), 

where the sets P, T, Pre, Post are defined as previously, and Inh : PxT ^ {0, 1} 
is a function defining the so called inhibitor arcs. There is an inhibitor arc from 
p to t iff Inh{p,t) = 1. A transition is enabled in a net with inhibitor arc iff for 
allpG P : M{p) > Pre{p,t), and for all p € P : Inh{p,t) = l=k M{p) = 0. So 
all places connected to t by inhibitor arcs must be empty to enable t. 

This definition means that if we want t to fire, Pre{p, t) = 0 when Inh{p, t) = 
1. Otherwise the transition t could not be enabled. In other words: If there is 
an inhibitor arc from p to t, then no other arc should connect p and t. Inhibitor 
arcs {p, t) can be modeled by ordinary arcs, when p is bounded. But if not, then 
their presence leads to a different class of nets. 

Definition 1.3. A self-modifying net is a f-tuple 

Ny = (P, T, Prey, Posty), 

where the sets P and T are defined as above, and the functions Prey and Posty 
are not static, as in the case of the PT-nets, but they depend on an actual 
marking: they map P x T x M into iV for M being a marking. 

So the number of tokens that are carried along an arc depends on an actual 
marking in self-modifying nets. 

Definition 1.4. A reset net is a 5-tuple 

Npi = (P, T, Pre, Post, Reset), 

where Pre and Post are defined as above, and Reset maps P x T into {0, 1}. If 
Reset{p, t) = 1, then Pre{p, t) = 0, Post{p, t) = 0, and the {p, t) arc is called 
the reset arc. A transition t is enabled, iff Pre{p,f) > 0 =k M(p) > Pre{p,t) 
and Reset{p,t) = 1 =k M(p) > 0. After firing t all ordinary arcs carry as many 
tokens as in the case of PT-nets, while the reset arcs empty the input reset places. 
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Now we present an idea of a computability by Petri nets (FigO- 

Definition 1.5. A function f : ^ IN is computable by a Petri net, if 

there exists a net N = {P,T, Pre, Post), with certain places and transitions: 

. . - ,Px„, start, stop,pf, progress G P, run, finish G T connected in the fol- 
lowing way: (Fig^: 




Fig. 1. A net which computes a function. At the initial marking all places are 
empty except start and Px-i, ■ ■ ■ ,Px„- Every place Px^ holds initially xt tokens. 
When a marking is reached such that all places but stop and pf are empty, 
then f{xi, . . . , Xn) tokens should be on pf. The place progress is connected by 
a self-loop with every transition except run and finish, but to make the picture 
clean, these arcs are omitted (and will be omitted on pictures that follow). 



1. 'start = 0 

2. Pre{start,run) = 1, Post{progress,run) = 1 

3. Pre{progress, finish) = 1, Post {stop, finish) = 1 
stop' = 0,P/* = 0 

5. yt G T — {run, finish} : Pre{progress, t) = Post{progress, t) = 1 

such that for all initial markings Mq satisfying VI < i < n : Mo{xi) = ai, 
Mo{start) = 1, and Vp G P — {pxi, ■ ■ ■ ,Px„j start} : Mq{p) = 0, when a marking 
M G [Mq] is reached, the following condition holds: 
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{M{stop) = l,Vp e P - {stop,pf} : M{p) = 0 )^ M{pf) = /(ai, . . .,a„). 

Since the place progress is connected by a self-loop to every transition but 
run and finish, the arcs connecting transitions with progress will be omitted 
on all pictures. 

The place start, when marked, indicates that the computation has not started 
yet. When the transition run fires, it deposits a token on place progress, which 
indicates that the computation is in progress. Once the transition finish is fired, 
no other transition can fire, because a token is taken from progress, and this 
disables all transitions of the net. At this final stage all places but stop and pf 
should be empty, and the place pf should hold exactly f{xi , . . . , Xn) tokens. 

If we want to reach a marking in which only places stop and pf are marked, 
then it is necessary to do all the job (emptying the other places) before the 
transition finish is fired. To illustrate the idea of computability, let’s consider 
the net from FigH It shows that the addition is computable by Petri nets. 




Fig. 2. Addition is computable by PT-nets 



The only transition which may fire at the initial marking is run. When a 
token appears on progress, one cannot fire finish before transition ti fires x\ 
times and transition t2 fires X2 times. Otherwise, the places p\ and p2 would 
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not be empty at the final marking. When this happens, and xi + X 2 tokens are 
collected on place pf, one may fire finish resulting in a final marking with a 
token on stop. 



2 Integer Polynomials and the Reachability 

The 10th Hilbert problem is to determine, for given polynomial W{x \^ . . . , Xn) 
with integer coefficients whether W{x\^ . . - ,Xn) — 0 for some integer numbers 
xi, . . . , Xn- As it was shown by Matijasevich the 10th Hilbert 

problem is undecidable. 

Let’s start with a technical lemma stating that any combination of tokens is 
easily obtainable on selected places by firing some extra transitions added to a 
net. 

Lemma 2.1. For a net on Fig^^every marking is reachable from a zero mark- 
ing. 

Proof. Assume that the marking M is given. First we fire the transition to 
times, and then depositing as many tokens as we need consecu- 
tively on places . . . ,Px„, we transfer them from left to right. □ 

This lemma will be needed in preparing input data Xi, . . . , Xn for a polyno- 
mial to compute its value. The net from Fig^will produce the required number 
of tokens on each place to let the polynomial have the zero value if it is possible 
at all. 




Fig. 3. Every combination of tokens can be generated 



Assume now that for every polynomial W over nonnegative integers (the 
problems with negative arguments will be discussed later) we can construct a 
net, which for given xi, . . . ,Xn would compute W (xi , . . . , Xn) on a place pf (in 
other words, polynomials would be computable in the sense given above). Since, 
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according to the above lemma, we are able to generate any configuration of 
input xi, . . . ,Xn tokens on places p^i, ■ ■ ■ ,Px„, it is enough now to ask, whether 
a marking M, such that M(p) = 1 for p = stop and M{p) = 0 for all other 
places, is reachable, to decide if the equation W{xi, . . . , Xn) = 0 has an integer 
solution. 

Hence, if a net computing every polynomial in the sense given above existed, 
then it would mean that the reachability is undecidable — the 10th Hilbert 
problem would be reduced to the reachability problem. 

First we will show a general result concerning all classes of Petri nets con- 
taining PT-nets. 

Theorem 2.1. If f : IN IN and g : IN IN are computable by Petri 
nets, then the function h{xi,X 2 ,x^) = g{f{x\,X 2 ),x^) is also computable. 




Fig. 4. g{f{xi,X 2 ),X 3 ) is computable if g and / are computable 



Proof. Consider the net on FigJ The only way to empty all places except stop 
and pfg is to perform a computation of / first, transfer the X 3 tokens to let them 
become input for g, and then the computation of g does the job. 



□ 
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Corollary 2.1. If multiplication is computable in a class K, of Petri nets, then 
polynomials with nonnegative coefficients are computable in 1C. 

Proof. Immediate, since polynomials can be expressed as a composition of mul- 
tiplications and additions, and addition has been above shown to be computable. 

□ 



Theorem 2.2. If multiplication is computable in a class K, of Petri nets, then 
the reachability problem is undecidable in 1C. 

Proof. Assume that the multiplication is computable in 1C. First we will solve 
the problem of negative values in the integer domain. The computability was 
defined above in terms of natural numbers, while the 10th Hilbert problem is 
stated in the domain of integers. 

We will first show that for every polynomial W we can construct a finite set 
of polynomials Wi , . . . , Wm for some M such that W has a zero value for some 
integers zi , . . . , if and only if at least one polynomial Wi has a zero value for 
some nonnegative integers Xi, . . . , Xn. To observe this, it is enough to consider all 
M = 2" polynomials resulting from W by substituting for every / C {1, ...,n} 
and all i G I : —Xi in place of Xi into W. Now when a set of integer values 
zi, . . .,Zn is chosen such that W{zi, . . . , Zn) = 0, then at least the polynomial, 
which resulted from W by substituting the variables corresponding to negative 
values of zt by their negatives, has also a value 0 for nonnegative integers. On 
the other hand, when one of the polynomials Wi , . . . , Wm has a value 0 for 
some nonnegative integers, then by negating the arguments corresponding to 
the negated variables we will get a solution oi W{z\, . . . , Zn) = 0 in the integer 
domain. 

So from the decidability point of view it is irrelevant, whether we are looking 
for integer or nonnegative integer solutions. 

What about negative coefficients in WI When we know that only nonnegative 
integers are taken into consideration, we can split the polynomial W into a nega- 
tive and nonnegative part grouping all the negative coefficients into a polynomial 
W~{x \, . . . , Xn) and the nonnegative ones into a polynomial W~*~(xi , . . . , Xn). 
Since — {—W~) = W, we can reduce the problem of finding a nonnegative 
integer solution of W to testing whether two polynomials W~^ and —W~ — both 
with nonnegative coefficients — have equal values for some nonnegative integers 

Xl, . . . , Xn- 

This can easily be done by the net from Fig^ 

A copy of a;i , . . . , a;„ is done to prepare the same input for VF+ and W~ . The 
presented net reaches the stop phase with M{p) = 0 for all p G P ~ { stop} if 
and only if W~^ and W~ have the same value for some nonnegative Xi, ... , Xn. 

So when multiplication is computable in a considered class, we are provided 
with a method to check the existence of an integer solution of every equation 
W {x \, . . . , Xn) = 0 in terms of the reachability problem. This concludes the proof 

□ 
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Fig. 5. Testing if , Xn) = W {xi, . . Xn) for given a;i, . . . , Xn- 



Now we know that since the reachability problem is decidable for PT-nets, 
the multiplication is not computable by PT-nets. 

A characterization of functions computable by PT-nets was presented in 
The linear functions f{x\, . . Xn) = k\Xi -!-•••, +knXn for non- 
negative integers fci, • • • , are the only functions computable by PT-nets. 

Is it a dead end? Fortunately not. To make the 10th Hilbert problem ap- 
plicable, let’s first observe that there are classes of Petri nets, for which the 
multiplication is computable. The following two results are well established, but 
the original proofs did not use the 10th Hilbert problem to determine undecid- 
ability results. 

Proposition 2.1. The reachability problem is undecidable in the class of self- 
modifying nets. 

Proof. Consider the net from the Fig3 

Observe that to empty the net interior one must fire x times the transition t. 
Each time t is fired, y tokens are transmitted to pf. Finally, the finish transition 
clears the tokens from the Py place resulting in xy tokens on pf. □ 



Proposition 2.2. The reachability problem is undecidable for nets with priori- 
ties. 
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Fig. 6. The reachability is undecidable for self-modifying nets 

Proof. Consider the net from the Fig^ Assume that each transition ti has a 
priority i. Observe that since all possibly enabled transitions will be in conflict 
after a token appears on place progress, the priorities determine the order in 
which the transitions are executed. Immediately after run is fired, only t 2 is 
enabled (if there are tokens on pj, J When one token from py is put on p 2 , O 
fires X times making a copy of a; on pi. Now only is enabled, so it fires, and a 
token is put on pa enabling This transition fires x times returning the tokens 
on place Px, and now is the only enabled transition, and fires removing the 
token from pa. We have executed the sequence t 2 t%t^tQt^, and the marking we 
have reached differs from the previous one in such a way that the place Py has one 
token less, and the place pf has x tokens more. The above sequence is repeated 
y — 1 times in total, resulting in a marking in which 1 token is on py, x{y — 1) 
tokens on p/ and x on p^,. In the last round the sequence is fired, after 

which Iq is no longer enabled, since no tokens are on py. So fires, after which 
tiX empties the place pi, and the transition finish is ready to terminate the 
whole process leaving xy tokens on pf. This schedule is purely deterministic. □ 



^ In fact a y — 0, then the net does not work well: no transition can empty the place 
Px . To make the proof work also for the case y ~ 0 one shonld add an extra transition 
with priority which wonld take tokens from px- This transition wonld never fire 
in case y > 0. 
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Fig. 7. The reachability is undecidable for nets with priorities 



3 Weak Computability is also Sufficient 

We will strengthen the result from the previous section. Hack has observed that 
multiplication is computable in a weaker sense for PT-nets. The weak com- 
putability differs from the computability in the following sense. Instead of re- 
quiring that exactly f{x \, . . . , x„) tokens are on pf when a token reaches stop and 
all other places are unmarked, we require only that no more than f{xi , . . . , Xn) 
tokens are on pf, and, moreover that a firing sequence exists, which produces 
exactly f{xi, . . .,Xn) tokens on pf. We propose a name bottom- computability 
for this kind of computability. 

The following proposition reminds the Hack’s observation. 

Proposition 3.1. Multiplication is bottom- computable in PT-nets. 

Proof. Consider the net from the FigO If forget about priorities and let the 
transitions fire in any order, then we will see that the schedule with priorities 
produces the maximum number of tokens on pf. Each other schedule produces 
less tokens (for instance firing less times t4 after each firing of ^2)- □ 

We will introduce now a somewhat dual notion: top-computability. We say 
that a function / is top-computable, if no less than f{xi, . . . , x„) tokens are on 
the place pf, when a marking is reached in which M{stop) = 1 , and all other 
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places are unmarked, and, as previously, we require that a firing sequence exists, 
which produces exactly f{x \, . . . , Xn) tokens on pf. 

Clearly when a function is computable by Petri nets, it is both bottom- and 
top-computable. The following theorem states that the reverse is also true. 

Theorem 3.1. If a function f{xi , . . . , Xn) is bottom- computable and top-compu- 
table in a class K. of Petri nets, then f is computable in 1 C. 

Proof. Consider the net from the FigO interpret the two subnets presented 
on the picture as two nets, which bottom-compute / on place Pw- top- 
compute / on place Pw+ . In order to empty the interior of the net one must 
obtain the same number of tokens on places Pw~ and Pw+ ■ Add also to the net 
one arc leading from t to pf. Since no more than f{x\, . . . , Xn) tokens can appear 
on Pw- , while no less on pw+ , to empty the interior of the net, one must produce 
exactly f{xi, . . . , Xn) tokens both on pw- and Pw+- Such firing sequences exist 
from the definition. In this case transfering the tokens to pf by firing several 
times t we obtain exactly f{xi , . . . , Xn) tokens as the only possibility to exit the 
computation with the interior unmarked. □ 

This result enables us to state the following stronger condition for undecid- 
ability of the reachability in classes of Petri nets containing PT-nets. 

Theorem 3.2. If in a class K, of Petri nets containing PT-nets multiplication 
is top-computable, then the reaehability problem is undecidable in 1 C. 

Proof. As for PT-nets multiplication is bottom-computable (proposition ^ 3 , 
the result comes immediately from theorems ^Jand^J □ 

We will use the above theorem to provide a new proof of another known 
undecidability result. 

Proposition 3.2. The reachability problem is undecidable for nets with inhibitor 
arcs. 

Proof. Consider the net from the FigJ This time we will try to put as few 
tokens as possible on place pf. The main problem here is to remove tokens from 
Py. The only transition that can do this is t2, but it is connected by an inhibitor 
arc to Px, so it cannot fire unless Px is empty. After the transition run fires, 
only is enabled. We remove tokens from px by firing x times t\, and, as a side 
effect, deposit x tokens on pf. Now we could run the cycle t^t\ for several times, 
but this would mean more tokens on pf, so we don’t do it. 

Instead, we fire ^2- A token moves from pi to p2, and now in order to fire 
t2 again we must empty the place p^. This can be done only by firing x times 
transition t^. Now transition t4 can fire returning the token from p2 back to 
Pi. This completes the cycle. We have now one token less on py, and x tokens 
more on pf, while other places are marked the same, as just after run had fired. 
We repeat y — 1 times in total this cycle tft2t^t4, and in the last run after the 
sequence tft2 is fired, we clean the net by firing t^ and Iq and leaving at least xy 
tokens on pf. □ 
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Fig. 8. The reachability is undecidable for nets with inhibitor arcs 



In the net used in the above proof, three arcs are present. One of them 
(connected to is) can be easily eliminated at the cost of some slight complications 
of the net structure — it is preserved here for the clarity of presentation. In 
particular the mentioned net with two inhibitor arcs provides a proof for the 
undecidability of reachability in nets with at most two inhibitor arcs: it is not 
difficult to construct the polynomial computation in a way in which the above 
net works as a procedure and can be re-used. However, the author was unable 
to construct a net with 1 inhibitor arc, which would compute multiplication in a 
weak sense. If such a net was constructed, this would negatively solve the open 
yet problem if the reachability is decidable for nets with exactly one inhibitor 
arc 

It is worthwile to mention that theorem ^Hcan be slightly strengthened. 



Theorem 3.3. Let 1C be a elass of Petri nets eontaining PT-nets. If squaring 
is top-eomputable in 1C, then the reaehability problem is undecidable in 1C. 

Proof. First observe that the function f{x) = xj2 for even x is computable 
by Petri nets. Just one transition suffices, which takes 2 tokens from p^, and 
deposits 1 token on pf. So if the function f(x) = x^ is top-computable, then it 
is computable by Petri nets. And since xy = ^ holds for all x and 
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y, and all the functions on the right hand of the equality are computable, their 
composition is computable as well. 



One should mention that constructing a net example is not always as simple 
as in the presented classes of nets. Probably for some classes of nets it is just 
impossible to apply these results. The author was unable to construct such ex- 
ample for the reset nets, for which the undecidability of reachability is known 



4 Conclusions 

Some sufficient conditions were presented, which enable us to decide undecidabil- 
ity of the reachability problem in several classes of Petri nets. The applicability 
of them was illustrated on several well investigated classes of nets. Although no 
fresh discoveries were made concerning the undecidabilities, a common frame- 
work has been used for the undecidability proofs in these classes. 

Since the 10th Hilbert problem has an elementary formulation (though far 
from being elementary proof), these results has a didactic value, since they 
allow to prove the undecidability results without the necessity to refer to some 
advanced notions from logics, automata theory or the theory of languages. 

The criterion for undecidability of the reachability is so simple that it often 
allows to construct a net quite easily, when an extension of PT-nets is investi- 
gated. 
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Abstract. 

Petri Nets have been popular among the developers of workflow management sys- 
tems for more than twenty years [5]: even if we do not consider the early work of 
Petri himself and Anatol Holt on modelling procedures with Petri Nets, Paul Zisman 
and Clarence Ellis adopted Petri Nets for modelling workflows in the late seventies. 
From those early years, there has been a growing amount of proposals adopting 
different classes of Petri Nets as the modelling framework of a workflow manage- 
ment system. The main reasons of the popularity of Petri Nets are the following: 

• they allow to give to workflow models a univocal non ambiguous semantics; 

• they have an easy to read graphical representation; 

• they may support a hierarchy of abstraction levels; 

• they are executable models, well suited for both simulation and software specif- 
cation. 

Today workflow technology, even if it is still considered as a hot technology whose 
success is imminent, has not yet gained large shares of the computer-based applica- 
tions’ market. Trying to explain this apparent paradox, all its components (the 
workflow engine, the workflow models and the workflow design environment) have 
been deeply discussed [1]. Workflow models (and within them, also Net models) 
have been criticized for the following reasons: 

• they are too rigid since, by imposing an explicit flow of actions, they hinder 
users in overcoming breakdowns; 

• they are too complicated, since their design requires a professional expert and 
cannot be performed by users themselves. 

On the contrary, it has been claimed that, in order to become the kernel of really 
usable workflow management systems, workflow models should have the following 
features: 

• they should be easily modifiable, supporting both the automatic verification 
of change correctness and safe change enactment on the ongoing instances 
[ 6 ]; 

• they should support exception handling, allowing users to follow exceptional 
paths on the basis of the policy of their organization, without making models 
too complicated; 
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• they should offer multiple diverse views of the workflow to their diverse us- 
ers (perfomers, managers, customers, designers). 

I claim that Net Theory offers a very powerful platform for satisfying the above 
requirements, going far beyond the modelling capabilities that have been exploited 
in the workflow models developed up to now. In particular, I think that process 
extensions, net morphisms and synthesis algorithms provide powerful mathematical 
tools for dealing with the above requirements. In the Milano workflow management 
system [3] we have used a subclass of Elementary Net Systems [7], that has efficient 
algorithms for all the above services, for creating simple workflow models, that are 
easily changeable, allow exceptional paths and support a variety of views on the 
workflow [2]. Even if we claim that workflow management systems do not need 
more powerful models, since simplicity is a positive attribute for them (at least with 
respect to a large class of workflows), there are several other classes of processes 
(production and logistics processes, juridical processes, ...), which may need model- 
ling capabilities that go beyond the subclass of Elementary Net Systems we have 
chosen for the Milano Workflow Management System. The search for classes of Net 
Systems well supported by efficient algorithms is therefore open [4]. 
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Abstract. The synthesis problem is to decide for a deterministic tran- 
sition system whether a Petri net with an isomorphic reachability graph 
exists and in case to find such a net (which must have the arc-labels 
of the transition system as transitions). In this paper, we weaken iso- 
morphism to some form of bisimilarity that also takes concurrency into 
account and we consider safe nets that may have additional internal tran- 
sitions. To speak of concurrency, the transition system is enriched by an 
independence relation to an asynchronous transition system. 

For an arbitrary asynchronous transition system, we construct an ST- 
bisimilar net. We show how to decide effectively whether there exists 
a bisimilar net without internal transitions, in which case we can also 
find a history-preserving bisimilar net without internal transitions. Fi- 
nally, we present a construction that inserts a new internal event into an 
asynchronous transition system such that the result is history-preserving 
bisimilar; this construction can help to find a history-preserving bisimilar 
net (with internal transitions). 



1 Introduction 



One methodology for the design of asynchronous circuits takes a transition sys- 
tem (whose arcs are labelled with what we call events) as specification of the 
desired behaviour, gives it a distributed implementation as a safe Petri net and 
transforms the latter stepwise into a circuit, see e.g. gives in 

detail a practical example for such a development. In the synthesis of the net, 
it is desirable that each event of the transition system corresponds to a unique 
transition of the net: as shows, the transformation of the net may in- 

volve event refinement, which is much easier when each event is represented by 
one transition; only with this property, it is e.g. easy to refine an event e such 
that each occurrence of e in a run of the original net is replaced alternatingly by 
an occurrence of ci or one of in a run of the refined net. Also some existing 
procedures for efficirat direct compilation of a net into an asynchronous circuit 
rely on this property^ Since we desire this property, it is natural that we restrict 
attention to deterministic transition systems. 

A pivotal contribution to the synthesis problem is the theory of regions, see 
e.g. it allows a characterization of those transition systems TS for 

* Work partially supported by the DFG-project ‘Halbordnungstesten’. 

^ Thanks go to Alex Yakovlev for pointing this out to me. 
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which an elementary Petri net exists whose reachability graph is isomorphic to 
TS. Elementary nets are (almost) the same as safe nets without loops, having the 
nice feature that independence of transitions corresponds exactly to ‘diamonds’ 
in the transition system. But points out, that loops are very natural in 

particular in the context of circuits and allow to implement additional transition 
systems; the theory of regions is extended accordingly (almost) to general safe 
nets, which can be seen as a specialization of the parametric results in 

weakens the requirements of and shows that, for each 

transition system TS satisfying the weaker requirements, there exists an ele- 
mentary net whose reachability graph is bisimilar to TS. For nets or transition 
systems (without internal events), bisimilarity and language equivalence coin- 
cide; based on^^^^J) language equivalent realization of transition systems is 
studied in for bounded nets and in for unbounded nets. 

is confronted with a transition system that cannot be realized by a 
net in any of these approaches; since the reaction to such a situation can hardly 
be simply to give up, he first inserts an internal event into the transition system 
‘in a harmless way’, i.e. he achieves in his example an implementation with a 
net that has an additional internal transition. One can see that this net (i.e. its 
reachability graph) is bisimilar to the original transition system; implementation 
of transition systems in this sense is the topic of the present paper. 

Thus, we are given a deterministic transition system TS as a, specification 
of some behaviour and we want to find a (general) safe net whose transitions 
are the events of TS and possibly some additional internal events, and whose 
reachability graph is (weakly) bisimilar to TS. This ensures (but see below) 
that the net has essentially the desired behaviour; also, properties formulated 
e.g. in Hennessy-Milner logic and checked for the transition system will also hold 
for the net, see for an informal check of this type. Note that internal 

events could lead to a new and usually unwanted behaviour that is ignored by 
bisimulation, namely divergence, i.e. infinite internal computation; hence, we 
additionally require the net to be divergence- free. 

It should be mentioned that it is easy to turn an arbitrary transition sys- 
tem into a Petri net when labelling of the transitions is allowed. Furthermore, 
constructions are known - see e.g. - that turn a labelled Petri net 

into one where there are additional internal transitions, but otherwise each label 
occurs only once; the latter is the kind of net we are looking for. To the best of 
the author’s knowledge, the known constructions either do not give a bisimilar 
net or introduce divergence. We will improve on this. 

In fact, it is not too difficult to find a bisimilar divergence- free implemen- 
tation for each transition system, but it turns out to be completely sequential. 
This is undesirable e.g. for performance reasons; hence, an additional require- 
ment is to preserve concurrency - for which concurrency must be specified in 
the first place. We will therefore in fact start from an asynchronous transition 
system (ATS), which is a deterministic transition system with an additional in- 
dependence relation on the events. In asynchronous and similar 

transition systems are related to nets by characterizing those ATS for which a 
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net exists whose reachability graph (with independence relation) is isomorphic 
to the ATS; instead of requiring isomorphism, we want to compare the behaviour 
of an ATS and a net. 

Preservation of concurrency could mean that the net should have the same 
step sequences or partial order semantics as the ATS, where the latter semantics 
could be defined via Petri net processes or equivalently as (Mazurkiewicz) traces; 
see e.g. also for ATS. Or one could combine this with bisimilarity and 

require step or history-preserving bisimilarity; for our first result, we will con- 
sider something in between: ST-bisimilarity, which combines bisimulation with 
a partial order semantics based on so-called interval orders, see e.g. We 

will show that each ATS (with a weak requirement for independence) can be 
implemented by an ST-bisimilar divergence-free safe net. 

Then, we will consider ATS with the usual strong requirement for indepen- 
dence; we will show how to decide whether for such an ATS there exists a safe net 
without internal events with a bisimilar reachability graph, and we will prove that 
one such net is in fact history-preserving bisimilar to the ATS. Finally, we will 
mention an ATS-modification that sometimes helps to find a history-preserving 
bisimilar divergence-free safe net with internal events; a special case is the mod- 



ification used in 



and mentioned above. 



Two other very interesting contributions to the synthesis problem must be 
mentioned. In Chapter 5], the specification of the desired behaviour 

is given as a temporal logic formula, and it is shown how to decide whether 
there exists a safe net with possibly some additional internal events meeting 
the specification. generalizes the synthesis problem in two other ways: 

firstly, two regular languages are given and a (possibly unbounded) net is sought 
for with a language between the given ones; secondly, the problem of realizing a 
deterministic context-free language with a net is considered. 



2 Petri Nets and ST-Bisimulation 

In this paper, a safe Petri net N (or just a net) is a tuple {S, Ei, F, Mjq) 
satisfying a number of requirements explained in the following. S, Ey and Ei, 
are finite disjoint sets of places and visible and internal events; thus, we call the 
elements of E = Ey U Ei events instead of transitions. N is called visible if Ei is 
empty. EC SxEUExS is the set of arcs (which all have weight 1), and Mat is 
the initial marking^ which is as any marking a subset of S. When we introduce a 
net N or N' etc., then we assume that implicitly this introduces its components 
S, E, Ey, ... or S', E', Ey, . . ., etc. and similarly for other tuples later on. 

For each x £ S LI E, the preset of a; is *a; = {y | (y, x) G E} and the postset 
of a; is x* = {y I (a;, y) G F}. These notions are extended pointwise to sets, e.g. 
*X = **■ If 3 ; G *y n y*, then x and y form a loop. 

• An event a is enabled under a marking M, denoted by M[a), if *a C M. If 

M\a) and M' = {M \ *a) U a* , then we denote this by M[a)M' and say that 
a can occur or fire under M yielding the marking M' . (This rule is in fact 
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a bit unusual, since we simply take the union of the possibly overlapping 
M \*a and a*. Our rule coincides with the usual one for the nets we will 
consider in the following.) 

• The definition of enabling {M[w)) and occurrence {M\w)M') is extended to 
sequences w as usual. If w is enabled under the initial marking, it is called 
a firing sequence. A marking M is called reachable if £ E* : Mn[w)M . 
The net is safe if for all reachable markings M and events a, M[a) implies 
(M\*a) na* = 0. 

General Assumption All nets considered in this paper are safe and have only 
events with nonempty presets. For convenience, we also assume that for each 
event a there is some reachable marking that enables a. 

It is obvious how to generalize the firing rule to infinite sequences. It is usually 
desirable that a net be divergence-free, i.e. that no reachable marking enables 
an infinite sequence of internal events. Next, we lift the enabledness and firing 
definitions to the level of visibility: 

• A sequence v G E* is visibly enabled under a marking M, denoted by M[v)), 
if there is some sequence w G E* with M[w) such that v is obtained from w 
by deleting all internal events. If M = Mat, then v is called a visible firing 
sequence. 

To each net N we associate an independence relation I{N) on its events, 
where aI{N) 5 if *a U a* and *5 U 5* are disjoint. Note that I{N) is irreflexive 
and symmetric. For a marking M, yt C E is an M-step if the events in /i are 
enabled under M and pairwise independent; in this case, the events can fire in 
any order under M and, intuitively, also simultaneously. 

We are interested in behaviour notions capturing choice and concurrency 
in a strong sense, hence in variants of bisimulation that also consider concur- 
rency. (For the basic bisimulation, see the next section.) One such variant is 
ST-bisimulation; its key idea is that the firing of a visible event a consists of a 
beginning o'*" and an end a~ , where a~^ checks the enabledness of a and con- 
sumes its input, while a~ produces the output. Thus, concurrency in the sense 
of overlapping occurrences can be observed for visible events - while internal 
events cannot be observed at all. This is a stronger notion of concurrency than 
e.g. steps; it corresponds to a partial order semantics that is weaker than causal- 
ity as cap tured by net processes, but is instead based on so-called interval orders 
(see e.g. and suitable to judge temporal efficiency when events take 

time, see 

If events have a beginning and an end, a system state cannot adequately be 
described by a marking alone; instead, it consists of a marking together with 
some events that have started, but have not finished yet, and it is called an 
ST-marking. In the corresponding firing rule, the preset of a starting event is 
usually subtracted from the marking immediately ^^^3; for compatibility with 
the next section, we introduce an alternative but equivalent formulation. 
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• An ST-marking {M, /i) of a net N consists of a reachable marking M and 
an M-step /i C E„. The initial ST-marking is (M^, %). 

• For a visible event a, we write {M, fi)[a~^){M, U {a}) if M[a) and a is 

independent to all 6 S /i - which in particular implies a ^ gL. For a visible 
event a, we write (M, gi)[a~){M' , g, \ {a}) if a G ^ and M[a)M' . Finally, for 
an internal event c, we write (M, g) if c is independent to all 6 G /i 

and M[c)M'. Note that in all three cases the pair reached is an ST-marking 
again. 

• We again extend this definition to sequences and, by suppressing internal 
events, to visible sequences. 

Nets N and N' with the same visible events are ST-bisimilar, if there is an 
ST-bisimulation between them, i.e. a relation B between their ST-markings with: 

1. B relates the initial ST-markings. 

2. li a & Ey, c & Ei and (M, g)B{M' , g) (with the same g), then we have: 

(a) (M, ^)[a+)(M, ^ U {a}) implies that for some M" {M' , g)[a'^)){M" , g\J 
{a}) and (M, g U {a})B{M", g U {a}) 

(b) (M, ^)[a“) (Ml, ^ \ {a}) implies that for some {M' , g)[a~)){M[, g\ 
{a}) and (Mi , g \ {a})B{M[ ,g\{a}) 

(c) (M, ^)[c)(Mi, implies that {M' , g)[)){M[, g) and {Mi, g)B{M[, g) for 
some M'l 

3. vice versa 

ST-bisimulations do not consist of pairs ((M, g), (M', g')) for general labelled 
nets; instead, there is an additional component that matches for each visible label 
a the a-labelled transitions in g to the a-labelled transitions in g' . This is not 
necessary in our setting, since here a step can contain at most one a - whereas 
in general there can be several a-labelled transitions in a step. 

3 Asynchronous Transition Systems and 
History-Preserving and ST-Bisimulation 

An asynchronous transition system (an ATS) A (and, more generally, a weak 
asynchronous transition system, a wATS) is a tuple {Q, Ey, Ei, T, go, I) satisfying 
a number of requirements explained in the following. Q is the finite set of states 
containing the initial state go; Ey and Ei are finite disjoint sets of visible and 
internal events and I is the irreflexive and symmetric independence relation on 
E = Ey\JEi~, events are dependent if they are not independent. A is called visible 
if Ei is empty. We speak of a transition system, if we are not interested in I. 

The transition relation T is a partial function from Q x E to Q, i.e. A is 
deterministic over the alphabet E. We say a is enabled under g or can occur 
from g and write g if T is defined for {g, a); we write g ^ p, if T{g, a) = p, 
and speak of an (a-labelled) arc from g to p; g and a form a loop in A if g q. 
Similarly to the last section, is generalized to ^ for w G E* (asserting the 
existence of a w-labelled path); if go then w is called an occurrence seguence 
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of A. Also in direct analogy to the last section, we define divergence- freeness 
of wATS. We write q ^ q' \i q ^ q' and v is the sequence of visible events 
obtained from w by deleting all internal events. We require that all states of A 
are reachable, i.e. for all 9 S Q there is some w S E* with qo —>■ q. 

For q G Q, ^ C E is a, q-step if the events in p, are enabled under q and 
pairwise independent. To guarantee that these events can occur in any order 
from q reaching the same state in any case, we define: 

A weak asynchronous transition system (wATS) satisfies for all independent 
events a and b and states q: if q ^ and q then there exists some q' with 
q q' and q q' . (This ‘forward-diamond-property’ only is e.g. also required 

in ^^^ 9 .) For an asynchronous transition system (ATS) also q q' implies 

q qh For convenience, we assume that for each event a of a wATS or ATS 
there exists some q with q —>■. For an ATS, we furthermore assume that alb 
implies that there exists some q with q and q 

We call wATS A and A! isomorphic if one is obtained from the other by a 
bijective renaming of states that preserves initial states and transition relations. 

For comparison of wATSs, we first define ordinary bisimulation: two wATSs 
A and A! with the same visible events are (weakly) bisimilar, if there exists a 
bisimulation between them, i.e. a relation B <G Q x Q' such that: 

1. B relates the initial states. 

2. If a S Ey, c G Ei and qBq' , then we have: 

(a) q ^ qi implies that for some q[ q' ^ q[ and qiBq[ 

(b) q qi implies that for some q( q' => and q\Bq[ 

3. vice versa 

A bisimulation on A is one between A and A, and states of A (or similarly 
reachable markings of a net) are bisimilar if they are related by a bisimulation 
on A. For wATS, we also define ST-bisimulations and related notions: 

• An ST-state {q, p) of a wATS A consists of a state q and some g-step p, C Ey. 
The initial ST-state is (qo,0). 

• For a visible event a, we write (q, p) [q,p,\J {a}) if q and a is inde- 
pendent to all 6 S /r - which again implies a ^ p,. Note that in the case of 
wATS, we cannot change the state component in a way that would somehow 
reflect just the starting of a; therefore, we have adapted the notation for nets 
accordingly in the previous section. 

We write {q, pf) [q\ p, \ {a}) if a G p. and q q' . Finally, for an internal 
event c, we write {q, p) {q' , /i) if c is independent to all 5 € /i and q q' . 
Note that in all three cases the pair reached is an ST-state again. 

• We again extend this definition to sequences and, by suppressing internal 
events, to visible sequences. 

Two wATSs A, A! with the same visible events are ST-bisimilar, if there is 
an ST-bisimulation between them, i.e. a relation B between their ST-states with: 
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1. B relates the initial ST-states. 

2. If a € Ey, c G Ei and (g, ^)B{q' , /i) (with the same /i), then we have: 

(a) (g, — > (g, {a}) implies that for some q” {q' , fi) {q” , fiLI {a}) and 

(g,^U {a})S(g",^U {a}) 

(b) {q, fi) ^ {qi, /i\ {a}) implies that for some q[ {q' , y) ^ ((/(, /i\ {a}) and 
\ql,^i\{a})B{q'^,^i\{a}) 

(c) (g, Ai) ( 91 , m) implies: for some q[ {q' , y) ^ (gi, m) and {qi, y)B{q[, y) 

3. vice versa 

In this paper, we define the reachability graph of a net N to be an ATS: its 
states are the reachable markings, it has the same visible and internal events as 
N , the transition relation is given by the firing rule, Mjq is the initial state and 
the independence relation is I{N) restricted to those (a, b) that are enabled under 
a common reachable marking. Thus, the above definition of ST-bisimulation 
extends the one from the last section, since nets are ST-bisimilar if and only if 
their reachability graphs are ST-bisimilar. In this sense, we can also speak of a 
net being ST-bisimilar to an ATS or wATS. 

Similarly, we call two nets bismilar if their reachability graphs are bismilar, 
and this way we can also speak of a net being bisimilar to an ATS or wATS. 

History-preserving bisimulations, or hp-bisimulations for short, are usually 
defined for nets based on the partial orders induced by net processes. These 
partial orders can alternatively be obtained as Mazurkiewicz traces. Since the 
latter can be naturally defined for ATS as well (but not for wATS!), we define 
hp-bisimulation for ATS in this way; via the reachability graph, this also defines 
when two nets or a net and an ATS are hp-bisimilar. 

For an ATS A and event sequences v and w, we write u ~ w if, for independent 
events a and b, v = uabu' and w = ubau'. If v and w are related by the reflexive- 
transitive closure of ~, we call them equivalent, write [u] for the equivalence class 
of V and call it a trace - and a trace of A, if v is an occurrence sequence of A. 
Due to the stronger independence requirement for ATS, all elements of a trace 
of A are occurrence sequences reaching the same state. 

To each trace [a\ . . . a„] we can associate a labelled partial order on {1, ... , n}: 
each i is labelled with ai and the order is the least transitive relation where i 
is ‘less than’ j if i < j and Qi and aj are dependent. [oi . . . a„] is exactly the 
set of linearizations of this labelled partial order, which is up to isomorphism 
independent of the representative oi . . . a„. (Hence, strictly speaking, we consider 
labelled partial orders only up to isomorphism.) If we restrict the labelled partial 
order to the visible events, we obtain the visible po of [oi . . . a„]. 

Two ATSs A and A! with the same visible events are hp-bisimilar, if there is 
an hp-bisimulation between them, i.e. a relation B between their traces with: 

1. [X]B[X]. 

2. If [u],B[w], then [u] and [w] have the same visible po (up to isomorphism). 

3. If [u],8[w] and [ua] is a trace of A for some event a, then there exists some 

trace [wu], u G E'*, with [va]B[wu]. 

4. vice versa 




Concurrent Implementation of Asynchronous Transition Systems 291 



Again, for general labelled nets, the elements of an hp-bisimulation are in 
fact triples where the additional component is an explicit isomorphism between 
the visible partial orders; again this is not necessary here where elements with 
the same label are always ordered such that the required isomorphism is unique. 

4 ST-Bisimilar Implementations of Weak ATSs 

In this section, we will construct a net N that is ST-bisimilar to a given visible 
weak ATS A = {Q,Ey,^,T,qo,I). As explained, this can be seen as an im- 
provement on known constructions that avoid equally labelled transitions, since 
N will be bisimilar to A and divergence-free; on top of this, we also consider 
independence of events. 

First of all, we find a family of cliques covering the dependence graph of I, 
i.e. a family (Di) of nonempty subsets of Ey such that the elements of each Di 
are pairwise dependent and such that for any dependent events a and b there 
exists a Di containing a and b; in particular, the union of the Di is Ey since 
possibly a = 6. If one is not interested in concurrency, one can choose 7 = 0 
and Ey as the only Di] Figure J shows a transition system and part of our net 
construction for this simple case, which yields a sequential net. 




N has places Sq for q G Q, s a and Sa for a G Ey, and Di. It has the visible 
events in Ey, and Ei = {{q,a) \ q G Q, a G Ey, q -^}. We define E by giving 

the pre- and postsets of the events. For a G Ey, *a = {sa }U{77i | a G Di} and 

a* = {sa}. For an internal event {q, a) with q p, we define: 

*(g, a) = {sq} U {sa} U{sb\ay^b A q ^ A 

U {Di \ {3b G Di : q A {^3b G Di : p A a ^ A} 

{q, a)* = {sp} U {sfc I p A (a = 5 V ^9 -^)} 

U [Di I {3b G Di : p -^) A (a S A V ^3b G Di : q -^)} 
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It will turn out that the reachable markings have the form M{q,v) where 
V C Ey \s & visible g-step; we define: 

M{q, v) = {sq} U {sh I g A b ^ LI {sa \ a e 

U {Di I (36 e A : 6 -^) A A H = 0} 

With this definition, the initial marking of N is M{qo, 0). 

Lemma 1. N is safe and divergence-free, and the reachable markings of N are 
the markings M{q, v) where v C Ey is a visible q-step. More in detail: 

1. M{q,v) enables a € Ey iff q ^ and a is independent of each event in v; 
then, M{q,u)[a)M{q,vL {a}). 

2. M{q,iy) enables an internal event iff it has the form {q,a) with a G v and 
q ^ p for some p; then, M {q, v) [{q, a))M{p,v \ {a}) . 

Proof. First note that divergence-freeness will follow from statement 2. We will 
consider some M{q,v) and show that firing any enabled transition does not 
violate safety and reaches again a marking of the desired form. Since the initial 
marking is M{qo,(d), this shows that N is safe and the reachable markings of 
N are of the desired form. From our considerations, it will be easy to see that 
any M(q, v) can be reached in N by taking a sequence reaching q in A, inserting 
after each a occurring from some p in A the internal transition (p, a) and finally 
adding the events in v in some order. 

If a G Ey is enabled under M{q,v), then a needs a token from Sa, hence q 
and a needs a token from all Di, where a G Dp, thus, all these Di have an empty 
intersection with v and a is independent of each event in v by choice of the Di. 
Vice versa, each a with q that is independent of each event in v is easily seen 
to be enabled under M{q, u). Firing such an a gives M{q,uL {a}) and does not 
violate safety. 

An internal event enabled under M {q, u) needs a token from Sq and from some 
Sa, and thus has the form {q, a) with a G v and q ^ p for some p. By considering 
the different types of places separately, we show that each such {q,a) is in fact 
enabled and that firing it does not violate safety and reaches M{p,u \ {a}). 
Firing {q, a) as above removes Sa and replaces Sg by Sp observing safety. 

For the places s/,, b G Ey, observe that b G v implies a = bV p Now, 

Sb G *(q,a) implies a yf 6 A hence b ^ v; since also q we see that 

M{q,u) marks Sb G *{q,a) and (q,a) is enabled w.r.t. the Sb. If M{q,v) would 

mark some Sb G (q,a)*, then q and thus b = a G v, a, contradiction. Hence, 
firing {q, a) does not violate safety w.r.t. the Sb and Sb is marked after firing 
(q,a) iff Sb G (q,a)* or Sb ^ *{q,a) A Sb G M{q,v). The latter disjunct means 

{a = by ^q ^ y p -^) A q A b ^ V, i.e. p-^Aq-^Ab^v, since a = b 
contradicts b ^ v. Expanding Sb G (q,a)*, we get that Sb is marked after firing 

{q, a) iff p and a = by ^q ^ y {q ^ A b ^ v). Since b G v implies q the 

latter conjunct means a = by b ^ v, i.e. b ^ v \ {a}. Thus, Sb is marked after 

firing {q, a) iff p and b ^ v \ {a} iff M{p,v \ {a}) marks Sb. 
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It remains to check the Di, so let us fix one of them; we will write A{q) for 

3h & Di \ q ^ and analogously A{p) . Furthermore, B will stand for a £ Di and 
C for DiC\ {v\ {a}) = 0. With this, we have 
Di £ *{q,a) iff A{q) A ~^A{p) A ~^B, 

Di £ {q, a)* iff A{p) A {B V ^A{q)), 

Di £ M{q, v) iff A{q) A ~^B A C, 

Di £ M{p,v\{a\) iff A{p) A C. 

We list a number of properties: 

i) ^A{p) implies C. If ^C, pick some b £ Di D {v \ {a}); then alb and q 
thus q ^ p implies p and, hence, A{p). 

ii) Di £ *{q,a) implies Di £ M{q,v) by i); thus, (g, a) is enabled w.r.t. the 

A. 

iii) Di £ M{q,v) implies A ^ (?, a)* (because of A{q) A ~^B). Hence, firing 
{q, a) does not violate safety w.r.t. the A- 

iv) B implies C . (a is independent to all other events in v.) 

v) ~^A{q) implies C, since b £ DiC\ {v \ {a}) implies b £ v, thus q 

Now A is marked after firing {q,a) iff A G (q,a)* or A ^ *( 9 ) 0 ) A Di £ 
M{q, v). The latter disjunct means {~^A{q) V A{p) V B) A A{q) A ~^B A C, which 
can be simplified to A(p) A A{q) A ~^B A C. Expanding A £ (?, a)*, we get that 
A is marked after firing {q, a) iff A{p) and B V ^A{q) V {A{q) A ~^B A C). The 
latter conjunct can be simplified to BV^A{q) V C and by iv) and v) to C. Thus, 
A is marked after firing {q, a) iff A{p) and C iS M{p,i/\ {a}) marks A- □ 

Now we will show that B is an ST-bisimulation between A and TV, where B 
relates {q', p) to {M{q, v), p) if pU is a. visible g-step, = and from q 

the step V reaches q' (which then allows the step p) . This is clearly satisfied for 
{qo, 0) and {M{qo, 0), 0), so let us assume {q', p)B{M{q, v),p). 

We first show how A simulates N, so consider {M{q, v), p)[a~^){M{q, v),pLi 
{a}), hence a is enabled under M(q,v) and independent to all events in p. a 
is also independent to all events in v, since otherwise some Di £ *a would be 
missing in M (q, v) - in particular, a ^ v. Since Sa must be marked under M (q, v), 
we get q thus, pLivLi {a} is a visible g-step and {a} is a visible g'-step; in 

particular, {q' , p) (g', ^ U {a}). Furthermore, {q' , pLI {a})B{M{q,v), pLI {a}). 
Next, consider {M{q, i'), p)[a~){M{q, I'Li {a}),p \ {a}) - see LemmaH Since 

q' enables a £ p, take p with q' A p, i.e. (g', p) A {p, p \ {a}). Now {v U {a}) U 
{p \ {a}) = ^ U is a visible g-step, from q the step v U {a} reaches p and 
(j^U {a}) n ip\{a}) = 0; thus, {p, p\{a})B{M{q,vU {a}), p\{a}). 

To conclude with this simulation, consider {M{q, v),p)[{q, a)){M{p, h'\{a}),p) 
where a £ v and q Aa p - see LemmaH Since {q' , p)B{M{q, v), p), pU v\ {a} 
is a visible p-step, where pH {v\ {a}) Q pC\v = and from p the step v \ {a} 
reaches q'] thus, {q\ p)B{M{p,v\{a}), p). 

Now, we show how N simulates A; given {q' , p)B{M{q,v), p), we can con- 
clude from the last paragraph that N can first fire internal events reaching 



294 Walter Vogler 



{M{q', 0), ^), which is ;B-related to {q' , y) as well. For this, we have to show that 
( 9 , a) with a € V and q ^ p for some p is independent of the events in p, so take 
some b G p, i.e. a b. The places in ' 6 U 6 * are Sb, which is not in '(g, a) U (q, a)*, 
Sb and each Di with b G Di. Since p\Jv is, & g-step, we have q and p thus, 
Sb is not in *{q, a)U{q, a)*, either. Since p a Di containing b is not in *{q, a). If 

such a Di were in {q, a)*, q would imply a G Di, but a and b are independent. 
Thus, we have shown the independence of {q, a) and b. 

Hence, we only have to consider the case {q' , p)B{M{q' ,ib), p). On the one 

hand, if {q' , p) ( 9 ^ M U {a}), then a ^ p and p U {a} is a g'-step, i.e. q' 
and a is independent of the events in p. With LemmaOwe get that M{q',%) 
enables a, thus {M{q' , 0), ^)[a+)(M(g', 0), {a}) and the latter is ;B-related to 

{q',pU{a}). 

On the other hand, if {q', p)°^ (p, /i \ {a}) with a G p and q' p, we have 
M{q', 0)[a)M(g', {a}) by LemmaJ Hence, {M{q', 0), p)[a“)(M(g', {a}), p\{a}) 
and the latter ST-marking is ;B-related to (p, p \ {a}). Thus we have shown: 

Theorem 2. For each visible weak ATS A there exists a divergence-free net N 
that is ST-bisimilar to A. 

Note that N constructed from A above contains a loop if and only if A 
contains a loop. Such a loop in N consists of {q, a) and Sq with q ^ q. 




Figure 2 

Figure^^hows an ATS, where a is independent of b and c, and the reachability 
graph of the net that results from our construction, where the internal events 
have simply been numbered and 1 = (go, a), 2 = (qo,b) and 3 = {p,b). This 
example demonstrates the transformation of the given ATS that is implied by 
our construction; one could call it r-splitting of events where r stands for an 
internal event. But it also makes clear that this construction does not always 
give a ‘good’ result: the occurrence sequence ablSc gives a trace where, in the 
visible po, c comes ‘after’, i.e. depends causally on, both a and b. Of course, it is 
straightforward to find a net N with the given ATS as reachability graph, such 
that in c is completely independent of a. 

But note that our construction works for any weak asynchronous transition 
system; Figure ^shows a transition system and a net implementation (not ob- 
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tained by our construction) where a and b are independent and state q satisfies 
q but not q This is only possible when using internal events in the net. 




Figure 3 



5 Safe and Semi-safe Transition Systems 

For Section^ we need the classical theory of regions as extended to safe nets in 
and as varied in . To allow reference to the proofs there 

we present this material, also allowing loops in transition systems in contrast to 
III this section, all events are visible, i.e. the additional feature of 
internal events is of no importance and we are in the more usual setting. Also, 
our results do not depend on independence; independence is just an additional 
feature that makes Theorem ^below stronger using Proposition J 

For a visible ATS A, a region is a nonempty, proper subset R oi Q satisfying 
for each event a one of the following cases (where the third is a subcase of the 
fourth) : 

- i? is a pre-region of a, i? G °a, i.e. q ^ p implies q G R and p ^ R. 

- R is a post-region of a, R G a°, i.e. q ^ p implies q ^ R and p G R. 

~ R is a eo-region of a, i? G a, i.e. q ^ p implies q G R and p G R. 

- a is not crossing R, i.e. q ^ p implies q,p G R or q,p ^ R. 

A visible ATS is safe, if it satisfies the following two properties: 

• event separation: for all a G if and q G Q, ~^q ^ implies that there exists a 

O 

region i? G °a U a with q ^ R. 

• state separation: for all p,q G Q with p ^ q, there exists a region R such that 
p G R iff q ^ R. 

We will show that safe ATSs are (up to isomorphism) just the reachability 
graphs of general safe nets, where one implication is quite obvious. 

Proposition 3. If N is a visible net, then its reachability graph is a safe ATS. 

For the other implication, we first note: 

Lemma 4. If A is a safe ATS and a an event that is enabled under all states, 
then q ^ q for all states q. 
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We call an event a with q ^ q for all states q a loop-event. 

Now assume we are given a safe ATS A; let 7 ^ be a set of regions that 
are sufficient to satisfy event and state separation. We construct a net N = 
( 7 ^U{s}, Ey, 0 , F, Mn) by letting {R, a) G F if R G °aUa, (a, R) G F if R G a°Ua, 
(a, s), (s, a) e F if a is a loop-event, and finally Mn = {R G TZ \ qo & R} LI {s}. 
First note, that each event a has a nonempty preset in N since it is either a 
loop-event or it has a region R with (i?, a) € F by event separation. 

We now show that the reachability graph of N is isomorphic to A except for 
the independence relation, where q G Q corresponds to {F € F | g G F} U {s}, 
which is injective by state separation of TZ and obviously preserves initial states. 

We will show that this correspondence preserves the transition relation, too, 
and also check that safety is not violated in N. Since all states are reachable, this 
shows at the same time that our correspondence is a bijection onto the reachable 
markings. Observe that a loop-event has only s in its pre- and postset, which 
is always marked; thus, we can ignore s and any loop-events in the following. 
Now, take corresponding q and M and first assume q q' . If (F, a) G F, 
then q G R and F is marked under M; thus, a is enabled under M; we define 
M' = (M \ *a) U a* . We check the different possibilities for a region F G F w.r.t. 
a. If F G °a, then on the one hand q G R and q' ^ F, while on the other hand 
firing a empties F; hence F ^ M'. If F G a°, then on the one hand q ^ R and 
q' G R, while on the other hand firing a marks F; hence F ^ M, such that safety 
is not violated, and F G M'. If F G a, then on the one hand q G R and q' G F, 
while on the other hand a and F form a loop; hence safety is not violated and 
F G M' . If none of these cases applies, then on the one hand q G R iA q' G R, 
while on the other hand firing a does not change the marking of F; hence, R G M 
iff F G M' . In any case, q' and M' correspond (using the correspondence of q 
and M in the last case). 

Second, assume M[a)M' . If ^q then there is some R GTZ with q ^ R and 
F G °a U a; this implies R ^ M and (F, a) G F, a contradiction. Hence, q ^ q' 
for some q' , which by the last paragraph corresponds to M' . 

If we are not interested in the independence relation, N realizes A. Other- 
wise, note that our correspondence is an isomorphism (up to the independence 
relation) and hence also a bisimulation, and apply the following new result. 

Proposition 5. Let A he a visible ATS and N a visible net bisimilar to A. Then 
there exists a net N' whose reachability graph is isomorphic to that of N except 
that its independence is I (i.e. that of A). 

Proof. If we have events a and b that are independent according to / (TV) but not 
according to /, we can add a common marked loop place to a and b. This does 
not really change the reachability graph of N and makes a and b dependent. 

We also could have events a and b that are independent according to I but not 

according to I{N). Consider some qi G Q with q\ ^ q2^ 94 and 9i 93 94. 

Due to bisimilarity, there is a reachable marking Mi of N with Mi [a) M2 [6) M4 
and Ml [6) M3 [a) M4. The effect of firing a and b does not depend on their order; 
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hence M4 = M4. Furthermore, a place in (*a U a*) n (*5 U 6*) can only be a 
common loop place of a and b. In this situation, we duplicate each such common 
loop place s such that both copies are connected by arcs to all other events in 
the same way as s, but one copy is on a loop with a (and not with b) while 
the other is on a loop with b (and not with a). This does not really change the 
reachability graph of N and makes a and b independent. □ 

We conclude: 

Theorem 6. If A is a safe ATS, then there effectively exists a (visible) net N 
whose reachability graph is isomorphic to A. 

As a next step, we weaken the definition of a safe ATS. A visible ATS is semi- 
safe if it satisfies event separation, but not necessarily state separation. Thus, 
a semi-safe ATS is up to the treatment of loops and up to independence what 
calls an excitation-closed transition system. Following we 

will show that a semi-safe ATS A can be realized by a visible net up to bisimilar- 
ity by transforming A to a bisimilar safe ATS A! and applying the above theorem. 
Semi-safety on languages, i.e. on infinite tree-shaped transition systems is also 
considered in and in the context of trace languages in We 

note a lemma first. 

Lemma 7. Let A be a visible ATS, B an equivalence on Q that is also a bi- 
simulation on A, and denote the equivalence class of q G Q by [g] . Then the 
B-quotient A' = ({[g] | q G Q}, Ey, 0 , T', [qo],I) is a (visible) ATS bisimilar to 
A, where T'{[q],a) = [q'] if q ^ q' . 

Now assume a semi-safe ATS A is given. Define a relation ;B on Q by qBp if 
q and p are contained in the same regions. Clearly, B is an equivalence. 

Let q ^ q' and qBp] if ^p then due to event separation there would be a 
pre- or co-region of a - hence containing q - not containing p, a contradiction. 
Thus, there is some p' with p ^ p' . If a region R contains q' and q, hence p, then 
a is not crossing R, i.e. p' G R. If R contains q' but neither q nor p, then R is a, 
post-region of a and contains p' . Vice versa, each region containing p' contains 
q', too; thus, q'Bp' . Therefore, S is a bisimulation on A. By the above lemma, 
A' as defined there is an ATS bisimilar to A. 

It remains to show that in our case A' is a safe ATS. For a region R of A, 
we define [i?] = {[9] | 9 S i?}. If i? is a region of A and q G R, then clearly 
[9] C R. With this and the above considerations, it is not hard to see that [i?] is 
a region of A! and, more precisely, a pre-, co- or post-region for some a if i? is a 
pre-, CO- or post-region for this a in A. Thus, if some [9] does not enable some 
a in A', then neither does 9 in A and there is some pre- or co-region R of a not 
containing 9; hence, [i?] is a pre- or co-region of a not containing [9]. If [9] [p], 

then ^qBp and there is some region R containing exactly one of p and 9, thus 
[i?] is a region containing exactly one of [p] and [9]. We conclude: 

Theorem 8. If A is a semi-safe ATS, then there effectively exists a bisimilar 
safe ATS and a visible net N bisimilar to A. 
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Figure 4 



Figurejshows a semi-safe ATS (with dependent a and b). Clearly, it cannot 
be the reachability graph of a net, but identification of the two ‘terminal’ states 
gives such an ATS. 

6 Results on Bisimilar and hp-Bisimilar Implementations 
of ATSs 

Largely repeating from the literature, we have seen in the last section that semi- 
safe ATSs can be implemented as visible nets up to bisimilarity. We started out 
with the aim to use behaviour notions that also consider concurrency. With the 
following easy lemma, it becomes obvious from Proposition^that, whenever we 
can realize a visible ATS by a bisimilar visible net, we can also realize it by a 
hp-bisimilar visible net; this applies in particular to semi-safe ATSs. 

Lemma 9. If two bisimilar visible ATSs have the same independence relation, 
then they are hp-bisimilar. 

Proof. By bisimilarity, the two visible ATSs have the same occurrence sequences, 
hence the same traces, and the identity is an hp-bisimulation. □ 

Corollary 10. Let A be a visible ATS and N a visible net bisimilar to A. Then 
there also exists a visible net hp-bisimilar to A. In particular, if A is a semi-safe 
ATS, then there exists a visible net hp-bisimilar to A. 

While we have seen in the last section that identifying bisimilar states in an 
ATS can help to find a net implementation, Figureflshows an ATS that violates 
event separation for d and q; since there are no bisimilar states, identification of 
bisimilar states cannot help here. Nevertheless, the ATS has a bisimilar net im- 
plementation as shown where the two occurrences of c lead to different markings. 
So splitting a state into bisimilar copies can also help. 

Semi-safety is sufficient to ensure that a bisimilar visible net exists; we will 
now give an algorithm to decide whether to a given visible ATS there exists a 
bisimilar (or hp-bisimilar) visible net. We list some lemmata first. 

Lemma 11. Let A' and A be ATSs with the same events and h a morphism 
from A' to A, i.e. a function from Q' to Q with h{q'o) = qo such that p ^ q in 
A' implies h{p) h{q) in A. If R is a region of A (and a pre- /post- /co-region 
of some a), then h~^{R) is a region of A' (and a pre- /post- /co-region of a). 
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Figure 5 



Lemma 12. Let A and A! be bisimilar visible ATSs and define qBq' if qo ^ q 
in A and q^ ^ q' in A' for some w £ E* . Then B is a bisimulation. 

Lemma 13. Let N be a visible net and M , M' be reachable markings with 
M[w)M' for some w £ E* . Lf M'[w) or M and M' are bisimilar, then M = M' . 

Let A be an ATS. States p and q of A are strongly connected, if there are paths 
from p to q and from q to p (i.e. p ^ q and q ^ p for some v,w £ E*). Being 
strongly connected is an equivalence relation; a strongly connected component 
(sec for short) consists of an equivalence class together with the arcs between 
any two of its elements. An arc p q is a tree-edge, if it does not belong to any 
sec. Note that no path in A can use a tree-edge twice, because then we would 
have a cycle containing the tree-edge, and this cycle would be contained in a sec. 

We will now define the sec-tree of A, denoted scc-tree(A). The idea is to 
unfold A into a tree-like ATS, where the secs are left intact but possibly get 
duplicated, and form a tree with the tree-edges. This unfolding gives a finite 
ATS (in contrast with the complete unfolding into a tree), but all states of A 
are split as much as it could be helpful for finding a suitable net. 

Let qo ^ qi, qi ^ 92, ■ ■ qn-i ^ qn in A; taking the subsequence of 
tree-edges and representing each such tree-edge q p as (q,a,p), we obtain 
a sequence a which we call a tree-path to Note that a cannot contain a 
repetition, and thus there can only be finitely many tree-paths to any q. 

We define scc-tree{A) =: A' as follows: Q' = {{q,cr) \ a a tree-path to 
q £ Q}, El, = Ey, El = Ei, q'^ = {qo,\) and /' = 0 ; T'{{q,a),a) is {p,a) if 
q ^ p and q and p belong to the same sec, and it is {p, a{q, a,p)) if g — > p is a 
tree-edge. Observe: both images are indeed in Q' , and the transition relation is 
deterministic. 

Occurrence of an event changes the first component of a state of A! as in A, 
while the second gives just additional information splitting q into several copies. 
Hence, - just as in A - each event is enabled under some state of A! and A and 
A! are bisimilar; since the independence relation is empty. A! is an ATS. 

Lemma 14. scc-tree(A) is an ATS and bisimilar to A. 

The following theorem shows that by constructing scc-tree(A) we have per- 
formed all state splittings that can possibly help to implement A. 
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Theorem 15. There exists a visible net N (hp-)hisimilar to a visible ATS A if 
and only if scc-tree{A) is a semi-safe ATS. 

Proof. Theorem^ Lemma^J(and Corollary^J give the reverse implication. 

For the other implication, scc-tree{A) and N are bisimilar by Lemma^J and 
the relation B in Lemma^Jrelates each state {q, a) to some reachable marking 
M; we show that this M is unique, i.e. ;B is a function. 

If O' = (gi, oi, q[) . . . {qk, ak, q'k), then each occurrence sequence to {q, a) uses 
each arc from {qi, {qi, ai,q[) . . . Oi-i, to (g-, {qi,ai,q[) . . . {qi, Oi, g')) 

for i = 1, . . . , fc. If {q, a) is related to M and M' due to some w and w' , then 
both of the latter must use these arcs. Thus, we can apply induction if we show: 

w w' w" 

(*) Assume that {q^, A) ^ {q, a) — > {q' , a) and {q, a) {q' , a) in scc-tree{A) 

and that Mn[w)M[w')M' and M[w")M" in iV; then M' = M" . 

Proof of (*): Since q and q' belong to the same sec, there is some v with 
q' ^ q, i.e. {q' , a) ^ {q, a). Since is a bisimulation, this shows M[w')M'[v)M''' 
for some M'" bisimilar to (g, cr), which implies M"'[w'v) and with Lemma^J 
M = M'". Thus M'[vw”)M”. 

Since M' and M" are related to the same (g', a) by the bisimulation B, they 
are bisimilar and hence equal by Lemma^3^§^i’^- 

Thus, ;B is a function h and in fact a morphism as defined in Lemma 
which gives us event separation: If ^{q,a) in scc-tree(A), then ^h{q, a)[a) in 
N, since /i is a bisimulation. Hence, there is some pre- or co-region ii of a in the 
reachability graph of N with h{q, a) ^ R. Thus, h~^{R) G °a U a in scc-tree{A) 
with (g, (t) ^ h~^{R). We conclude that scc-tree{A) is semi-safe. □ 

Without internal events, finding a bisimilar net is the same problem as finding 
a l anguage equivalent net. This problem has been considered for un bounded nets 
in (in a trace setting), for bounded nets (without loops) in and 

for unbounded nets (without loops) in It is shown that the language, i.e. 

the complete unfolding of the transition system, has to satisfy event separation. 
So the important point of our result is that scc-tree{A) is finite. 
give effective results, where works on regular expressions, while^^^^J 

uses a finite tree-like unfolding of the transition system; this unfolding seems to 
be much more complicated than ours - where of course the problem considered 
is different and unbounded nets are more involved than safe ones. 

There can be exponentially many tree-paths in a visible ATS A, e.g. if it 
consists of a sequence of states each being connected to the next by two arcs. On 
the other hand, if A has n states, there are at most n" tree-paths, so scc-tree{A) 
can be at most of exponential size compared to A. 

To make A and, thus, scc-tree(A) smaller, one can first of all replace A by 
its bisimilarity-quotient A'. Since bisimilarity on A is a bisimulation and an 
equivalence. A' is a visible ATS bisimilar to A by Lemma H so the existence of 
a bisimilar net can be checked for A' instead of A. 

In fact, I assume that in practice the simplicity of the sec-tree will help a 
lot. In many cases, A or at least its bisimilarity-quotient A' will be strongly 
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connected or consist of a path from the initial state to some see (which is then 
the only one which may contain more than one state) . Then A! is isomorphic to 
see-tree(A'), and we simply have to check whether A' is semi-safe. Since there 
are no bisimilar states in A! , this is the same as checking safety by the proof 
of Theorem J Of course, semi-safety is most likely easier to check than safety; 
at least in this case, it is sufficient to find enough regions to guarantee event- 
separation - also for the construction of a suitable net. We summarize: 

Corollary 16. Let A he a visible ATS and Ad be its bisimilarity-quotient. 

i) If A is strongly eonneeted or eonsists of a path from the initial state to 
some see, the same applies to A' . If A! is strongly eonneeted or eonsists of a 
path from the initial state to some see, then see-tree(A') is isomorphie to A! . 

ii) Assume see-tree{A') is isomorphie to A' . Then there exists a visible net N 
(hp-)hisimilar to A if and only if A' is safe if and only if A' is semi-safe, where 
N ean direetly be eonstrueted from some regions guaranteeing event-separation. 

In the cases not covered by this corollary, there are possibilities for further 
improvements. First, minimizing A possibly merges states that are then split 
again in see-tree(A); one could try to avoid this, but this would need careful 
consideration: e.g. just merging bisimilar states that belong to the same see 
could create non-determinism, hence further merging could be required. Second, 
if there is some ‘diamond’ - i.e. q p and q p - and some arc involved is 
a tree-edge, then the diamond would be split in scc-tree(A); this cannot help to 
find a net, since in a net firing ab or ba leads to the same marking; thus, splitting 
in the construction of see-tree(A) could be reduced such that diamonds are kept 
intact. 



We now come to our last contribution: we will exhibit a construction on 
ATSs that preserves hp-bisimilarity and involves internal events. The example 
treated in demonstrates that this can turn a visible ATS that is not 

semi-safe into one that is safe if one regards the additional internal event as 
visible. This shows how to use our construction: the new ATS is isomorphic to 
the reachability graph of a net N which is therefore hp-bisimilar to the original 
ATS if we regard the additional event of N as internal again. (In formal words, 
this is true because hp-bisimilarity is a congruence for hiding.) Later, we will 
give an example showing that the construction is not always helpful. Thus, for 
the time being, we can only offer a trial-and-error method that may help to find 
a hp-bisimilar net. 

A T- state- splitting A! of an ATS A is obtained by choosing a state q and a 
family {qa q} of arcs such that a and b are dependent, whenever qa q is 

in this family and we have p ^ q outside the family or q ^ p for some state p. 
Then, A! has a new state cf , a new internal event r dependent to all other events, 
and a new arc e( ^ q\ each arc qa q of the family is redefined to qa ^ q' . 



Theorem 17. Let A be an ATS and A! be a t- state- splitting of A. Then A and 
Ad are hp-bisimilar and one is divergenee-free if the other one is. 
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Proof. The claim about divergence is easy. We will show the theorem for a visible 
ATS A; this is sufficient, since turning visible events into internal ones preserves 
hp-bisimilarity. Assume we are given q and the family of arcs as above. 

First, we have to show that A! is an ATS, i.e. satisfies the independence 

requirements. So assume that in A' p ^ p\ and for some b independent of a p ^ 
or Pi Clearly, p q' , since r is not independent of any event. If pi = q', 
we would have p ^ q and p ^ in A, hence q contradicting the choice of the 
arc family. Thus, we have a diamond p ^ Pi ^ Ps and p P2 Pa in A, and 
by the above (and symmetry) p Pi and p p2 in A'. If we do not 
have the same diamond in A', then w.l.o.g. pi q' in A! and this is one of the 
redefined arcs; by alb and choice of the arc family, then p2 pa also belongs to 
the family, i.e. p2 q' in A! . 

The hp-bisimulation matches each occurrence sequence w (or its trace) in A 
with the same sequence in A', where we insert a r after each a arising from some 
9a 9 in A from the chosen family; clearly, this is an occurrence sequence in 
A! ending in the same state, and we only have to check that it has the same 
visible po. So assume that w = uabv! and we have to insert a r after a. On the 
A'-side, each visible event before this r is less than this r which in turn is less 
than each visible event after this r in the full labelled partial order defined from 
the extended occurrence sequence; we have to check that on the A-side each 
event in ua is less than each event in bu', too and we will write here < for less 
than. The a arises from an arc into q, the b from an arc out of q, hence a and b 
are dependent and a < b; so choose some (occurrence of some) c in u and d in 
u' . If c < a, also c < b; otherwise, we can commute the c behind a, i.e. there is 
a c-labelled arc into q and ale; by choice of the arc family, this arc belongs to 
it, b and c are dependent and c < 6. If 6 < c? we are done; otherwise, we find a 
d-labelled arc from q and by choice of the family a < d; if now < a, then we 
have a c-labelled arc into q belonging to the family and a d-labelled arc from q, 
thus by choice of the family c < d. □ 

As a negative example, consider simply a diamond with arcs p ^ q and 
q ^ p', but with a and b being dependent. This can easily be realized by a net, 
but inserting a r between the two arcs makes it impossible - the r-transition 
would have to have a zero-effect, but would also be required to change the 
marking. Of course, this can be remedied by inserting another internal event on 
the other side of the diamond. 

We conclude by the remark that our construction above coincides with the 
one in Section 4 in an extreme case, namely if all events are dependent and we 
apply the former to each arc separately. 

7 Concluding Remark 

The results in this paper are only a beginning. Clearly, the problem of finding 
a history-preserving bisimilar implementation for an asynchronous transition 
system has only been touched upon, although the author does not know of any 
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asynchronous transition system that does not have such an implementation. Fur- 
thermore, for realistic application it is necessary to optimize the implementation 
by minimizing the number of places (as it is e.g. done in or ~ most 

of all - the number of additional internal transitions. 
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Abstract. We present a new class of nets which includes and extends 
both Coloured Nets and Fifo Nets by defining weights on edges and 
markings of places as traces on a concurrent (trace) alphabet. Consider- 
ing different independence relations on the alphabet, from the maximal 
one to the empty one (yielding words). Trace Channel Nets open a hi- 
erarchy of semantics on a single net structure. Furthermore a field of 
investigation results from the relationship between the independence on 
the alphabet and the behaviours of the net. In particular we show that 
the boundedness of a TCNet is related to particular independence rela- 
tions, maximal w.r.t. boundedness, that TCNets can be applied to the 
study of Communicating Finite State Machines (using communication 
through a trace channel), and that they define a hierarchy of partial 
order semantics for Nets. 

Keywords: Mazurkiewicz traces, Fifo Nets, Coloured Nets, concurrency, 
asynchronous communication, concurrent automata, recognisability. 



1 Introduction 

Partial orders and “true concurrency” models have been widely generalised in 
the last two decades for modeling distributed and/or concurrent processes, while 
their relationships with Petri Nets Theory played a central role ([BC] [BD] [Gi] 
[Gr] [Kl] [NSW] [Pr] [Vo]). Among the many variations on Petri Nets, the ones 
concerning the structure of arcs labels, tokens and markings led to important 
developments [Je]. In the present paper, we define a new class of nets. Trace 
Ghannel Nets, TGNets in short, where the arcs labels and the markings of the 
places are traces of a concurrent alphabet [Ma] . They can be viewed as bridging 
the gap between Simple Goloured Nets, where markings are unordered multisets 
of colours, and Fifo Nets [FM], where markings are totally ordered multisets. 

While Fifo Nets and Gommunicating Finite State Machines have been used 
to model processes with asynchronous communication and with total orders on 
messages. Trace Ghannel Nets (and Partial Order Ghannel Nets, see [FB] for the 
original report) propose in particular a good model for Partial Order Gonnections 
and Partial Order Protocols, developed for multimedia applications [AGG] [GDL] : 
the trace or partial order structure of a channel’s marking models any precedence 
or causality relation between alphabetic elementary components, like the partial 
order on the messages of a POG. Furthermore it acts as a concurrent behaviour 
“specification” for the output transitions. 

Since the late 80’s, different formal language theory approaches and results 
have been successfully extended or adapted to trace languages, [Oc] [GPZ] , and 
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more recently, to pomsets languages [Dr][LW]. Trace Channel Nets can be com- 
prehensively seen as a ’natural’ generalisation of existing classes of Nets, corre- 
sponding to the extension from words to traces, and benefit from these advances. 
In Fifo Nets the firing of a transition truncates a prefix of the words marking 
its input places (the label of the corresponding input arc), and appends suffixes 
(the words labelling the output arcs), to the markings of its output places. Trace 
Channel Nets generalise this paradigm: arcs are labelled by traces on a concur- 
rent alphabet, and the notions of trace prefix, residue and concatenation are 
used to define the TCNet’s firing rules (instead of their ’word’ versions). 

A concurrent alphabet is a pair (A, I) where / is a binary irreflexive relation 
on an alphabet A, called independence relation. A trace is an equivalence class 
of words of A* obtained by permutations of independent letters. The quotient 
set denoted (A/ «/) is a cancellative quotient monoid of A* called the trace 
monoid of {A, I). The intuition of the semantics of TCNets is that when two 
transitions ti and t2 input the letters a and b into the same channel, the order 
of their firings will be relevant for the resulting marking only if the letters are 
dependent in the alphabet. If ti and t2 output the letters a and b from a channel, 
the markings of the channel induce an order on the firings of ti and t2 only if 
the two letters are dependent. 

A first application of TCNets concerns Communicating Finite State Ma- 
chines. CFSMs use fifo channels to exchange messages, and are a typical case 
of Fifo Nets. Their extension to trace channels is natural: two safe nets share 
a trace channel, the first one may input into the channel, the second one may 
output from it. While the loss of messages has been introduced in CFSM by 
[CFP], inducing easier verification. Trace Channels relax the total order condi- 
tion. We give a sufficient condition preserving the rationality of the languages 
of the two communicating nets, when the channel is taken into account. This 
condition depends on the rational structure of these languages, and on the labels 
of the arcs adjacent to the channel, taking into account the dependence relation 
of the alphabet. It enlights the existence of minimal dependences satisfying the 
condition, i.e. preserving the rationality of the languages; we think that such a 
property is typical of the interest of TCNets. 

We define the concurrent semantics of TCNets by means of deterministic sta- 
bly concurrent automata [DK] . They are deterministic transition systems having 
“local” concurrency relations, defined for each marking on the set of transitions 
Arable from it, and satisfying “good” properties (the diamond, the cube and 
the inverse cube axioms). The advantages of this definition is that we gain for 
TCNets the properties worked out for this type of automata, in particular the 
ones relating recognisable and co-rational sub-languages when the automaton is 
finite [Dr], i.e. when the net is bounded. Besides the concurrent firings of transi- 
tions with no common adjacent places, the trace structure of markings gives the 
possibility to fire concurrently two transitions that are output of the same place, 
provided that they consume two independent prefixes of the place marking. The 
concurrency relations on transitions depend on the independence between the 
letters of the trace alphabet. If we relax dependence on letters, we may add new 
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behaviours to the net, but also increase the degree of concurrency in the existing 
ones. 

Independence relations on an alphabet are ordered by inclusion and have a 
maximal and a minimal element. Simple Coloured Nets and Fifo Nets can be 
considered as two extreme cases of TCNets, corresponding to these particular 
relations. Starting from a Fifo Net and considering the different independences 
on the token alphabet, we define a full partial order of semantics materialised by 
automata morphisms from the ones with lower independences towards the more 
concurrent ones. Furthermore, considering the independences from the point 
of view of the induced behaviours, some of them appear as maximal for the 
boundedness of the net, as we mentioned above for CFSMs. 



tl t2 




1 1=0 




Fifo Net 



Trace Channel Net 



Coloured Net 



Figure 1. 



The three TCNets of the figure 1 share the same structure and the same 
alphabet with different independence relations. The transition ta may occur in 
the Fifo Net net only after the firing of the sequence tit 2 , while it may occur in 
the other ones after any firings of ti and t 2 . After the firing of ta, the Fifo Net 
may only fire the sequence tatetsta. The increasing independence relations from 
left to right induce new firing sequences for the transitions ta, ts and te, say 
tatetats for the middle net, and tatatste for the net on the right . The concurrent 
semantics of section 6 is based on equivalence classes of firing sequences. The 
two sequences tatetats and tatetsta, both enabled in the middle net after the 
firing of ta, are equivalent, and compose a partial word on ta, ts and te, in which 
the firings of ta and ts after the one of ts are concurrent. 

Related works. If we restrict to Net Theory, besides the above mentioned 
papers, we can point out Coloured Fifo Nets as defined in [BG] where two types 
of places are used in Nets, i.e. Fifo places holding words, and bag places holding 
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multisets of colours. In [FI], the two types of places were defined, but using 
monochrome tokens for the bags places. 

Due to the size specifications, all proofs are omitted and can be found in 
[F2j. 

2 Traces 

A trace (or concurrent) alphabet is a pair (A, I) where A is a set, and / a 
binary symmetric irreflexive relation on A called the independence relation. 
Its complement D = A x A — I, which is symmetric and reflexive, is called the 
dependence relation. 

The Trace monoid (A/ «/)(denoted usually M(A, 7), but the letter M 
is already used for markings) is the quotient of the free monoid A* by the 
congruence «/, the congruence w.r.t. concatenation generated by the set of pairs 
{{ab,ba) G A* x A*|(a, 6) S /}. Let u be a word in A*, we denote by [u]i the 
class of u in (A/ «/). Elements of (A/ «/) are called traces. The monoidal 
operation (concatenation) o on traces [u]/o[u]/ is defined by [u]/o [u]/ = [uv]i. 
The monoid (A/ «/) is cancellative, i.e. [u] / o [u] / o [u'j / = [u] / o [w] / o [u'j / 

[u]/ = [w]/ for any u, u' , v,w G A*, or equivalently u\ U 2 /\uivu 2 

u[wu 2 V w for any u\, U 2 , u' 2 , v,w G A*. 

The empty trace [e\i is also denoted e. The number of occurrences of a 
letter a G A in a trace s = [u]/ is jsja = juja, the alphabet of a trace s is 
a(s) = {a G A, jsja yf 0}, and the size of a trace s is jsj = kl = 0- 

The multiset [s] of a trace s is [s] G H"^such that Vo G A, [s](a) = jsja (Hdenotes 
the set of natural numbers). 

A trace [u]i is a prefix of a trace [u]/, denoted [u]i A [?^]/, by the definition 
[u]/ A [i^]/ 3w G A*, [u]/ = [uw]i. The set of prefixes of a (trace) language 
L is denoted Pref{L). If [u]i A [«]/, we define the residue [u]/ — [u]/ as follows: 
[u]/ — [u]/ = [w]/ [u]/ = [uw]i. The residue is uniquely defined due to 

the cancellativity of o. If {sijigj is a finite indexed set of traces such that 
i yf j a(si)Ia(sj), i.e. any two traces have independent alphabets, then we 
denote by OieJSi the trace concatenation of the elements of {sijigj, which is 
independent of the order of concatenations. 

A trace [u]/ is connected iff it cannot be decomposed into independent 
factors, i.e. it cannot be written [u]i = [vw]i such that [u]/ yf £ yf [w]/ and 
a([u]/) X Qf([w]/) n I? = 0. A connected trace [u]/ is a connected component 
of a trace [u]i iff [u]i = [uw]/ for some w such that a([u]/) x a([w]/)nD = 0. The 
co-star iteration of a trace language L is defined by = C'omp(L)* where 

Comp{L) is the set of connected components of elements of L. A subset of a 
monoid (resp. trace monoid) is rational (resp. co-rational) iff it is gener- 
ated from finite subsets by finite applications of concatenation, union and star 
(resp. co-star) operations. An iterative factor of a language (trace language) 
A is a word (a trace ) t such that ut*v C L for some words u, v. A language 
L C (Aj «/) is star-connected iff every iterative factor is connected for the 
dependence relation D. A subset of a monoid is recognisable iff it is saturated 
by a finite index monoid congruence. Ochmanski’s theorem states in particu- 
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lar that a language L [A j ^j) is star-connected iff it is recognisable iff it is 

co-rational [Oc]. 

3 TCNets Structure and Interleaving Semantics 

This section presents the basic definitions of TCNets, i.e elementary firing rules 
and related objects. The definitions are very similar to those of Fifo Nets, except 
the change from the free monoid A* to the trace one {^Aj «/). 



3.1 TCNets Structure 
A TCNet is a tuple N = {A, I, C, T, W) where : 

1. {A, I) is a trace alphabet, 

2. C,T, are disjoints finite sets. C is the set of channels or places, T the set of 

transitions, 

3. W is the flow relation: W :CxTurxC — > {A/ «/). 

A marking M is a map from channels to traces : M : C — > (A/ «/). 

The pre-set (input set) and the post-set (output set) of x G C UT are 

*x = {y £ C LlT,W{y,x) yf e} and x* = {y G C UT,W{x,y) yf e}. 

Channel alphabets. The input (resp. output) alphabet of a channel c de- 
noted «i(c) (resp. «o(c)), is the set of letters in the labels of its input (resp. output) 
arcs: ai(c) = G T} (resp. «o(c) = lJ{a(lF(c, t)), t G T}). The 

alphabet of c is a(c) = ai{c) U «o(c). 

Normalised Nets. If the input and output alphabets of c coincide, i.e. 
Vc G C, ai(c) = «o(c) = a(c) the net is said to be normalised . 

Local alphabets. A particular form of TCNets arises where the alphabets of 
channels are disjoint, i.e. c yf c' a(c)Ca(c') = 0, with “local” independences. 
Each channel has its own concurrent alphabet (a(c), /(c)), and this case is easy 
to achieve by mappings a(c) — > a(c) x {c}. Except in the section 7, where we 
consider explicitly local alphabets, the rest of the paper does not depend on this 
“localisation” property. 

We also distinguish semi-alphabetic and alphabetic channels: a channel c 
is in-alphabetic, (resp out-alphabetic) iff its input arcs (resp. its output 
arcs) are labelled by at most single letters, i.e Vt G T,\W{t,c)\ < 1 (resp. Vt G 
r, \W{c,t)\ < !)• It is alphabetic iff it has both properties. 

Two particular cases correspond to the minimal (empty) and maximal inde- 
pendence relations: 

Fifo Nets coincide with the TCNets where the independence relation is 
empty. If / = 0, the flow relation is then valued on words : W : C xTGiTxC — > 
A*. All the usual definitions and properties of Fifo Nets are those of TCNets 
with empty independence. 

Simple Coloured Nets are tuples N = {A, C, T, W, 1), where the flow func- 
tion maps arcs on multisets of colours, i.e. W :C'xrurxC' — > The 

maximal independence relation for a trace alphabet is Im = A x A — A (A), 
due to its irrefiexivity (A(A) is the diagonal of the product). A TCNet with the 
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maximal independence Im behaves like a Simple Coloured Net for the interleav- 
ing semantics: it is equivalent in a marking to have a bag containing 2 a’s or 
a trace with a connected component a.a. For the concurrent semantics this is 
not the case because in the first case (2 a’s) a transition taking one a may fire 
twice concurrently, which cannot occur in the second. The section 7.4 aggregates 
Simple Coloured Nets to TCNets w.r.t. concurrency. 



3.2 Interleaving Semantics 

The interleaving semantics is based on individual transition firing rules, using 
prefix, residue and concatenation on the trace monoid {A/ «/). The left and 
right cancellativity of {A/ «/) are used in the section below. 

Let N = {A, I, C, T, W, 1) be a TCNet. We say that a transition t is enabled 
at a marking M, denoted M[t >, iff it satisfies: 

M[t> Vc G C, IT (c, t) < M (c) 

If t is enabled at M, the firing of t leads to a new marking M’, denoted 
M[t> M' , defined as follows: 

M[t > M' ^ M[t> /\ Vc, M\c) = {M{c) - lT(c, t)) o W(t, c) 

The definition of the new marking can be expressed in the following way, due to 
properties of traces (see section 2) : 

M[t > M' M[t> y/y Vc, IT (c, t) o M\c) = M{c) oW {t, c) 

A sequence of transitions 6 = is enabled at marking M, and 

leads to marking M', denoted M[9 > M' , if and only if there is a sequence of 
markings M = Mq, Mi, M 2 ...M„ = M' such that > Mi for i = 1, .., n. 

The set of firing sequences of a marked net {N, M) where M is a marking 
of N, is FS{N, M) = {Be T*,M[e >} 

The set of reachable markings is R{N,Mq) = {M : C {A/ «/)|36* G 
FS{N,Mo),Mo[e > M} 

A channel c G C is bounded in (TV, Mq) iff 3n G H, VM G R{N, Mq) , |M(c)|) 
< n. The marked net {N, Mq) is bounded iff all its channels are bounded. 



4 Channel Languages 

In this section, we focus on a single channel in the net. The labels of its input and 
output arcs induce specific structure on its markings, and relations between the 
sequences of input and output transitions. In particular the balanced language 
of a net w.r.t. a channel models exactly the constraints induced by the channel 
on the behaviour of the net. 
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4.1 Input and Output Traces of Channels 

We extend the flow function W to sequences of transitions. For a channel c, W 
yields two monoid morphisms W(-,c) : T* — > {A/ «/) and W(c,-) : T* — > 
{^Aj «/), defining the input and output traces of the channel c for a given word 
B = G T* : 

W{ 6 ,c) = W{ti,c)o VF(t 2 ,c) o ...,o VF(t„,c) 



W{c,6) = W{c,tl) oW{c,t 2 ) O oW (c, tn) 

We use the notation W(-,c)(L) = {W{0, c),9 G L}. 

In the examples of the figure 1, if we let {ci} = f*, we have W{tit 2 ti, ci) = 
[aba]i, with I = I\, I 2 or I 3 depending on the chosen net. 

By induction on the length of a firing sequence, we prove the following prop- 
erties. 

Lemma 1. Let be (N,M) is a marked TCNet,then 

1. V6» G FS{N,M),ycG C, W{c,0) A M{c)oW{0,c). 

2. M[9 > M' ^ Vc G C, M'(c) = {M{c) o W{0, c)) - W{c, 0). 

4.2 Balanced Languages w.r.t. Channels 

We characterise the constraints induced by a single channel on the net be- 
haviours. For that purpose, we consider a net N , a channel c, and we define 
the hiding of c in TV, TV \ c, as the net where the channel c and its adjacent arcs 
have been suppressed. We show that the firing sequences of TV are the ones of 
TV \ c which we call balanced w.r.t. c, i.e. such that for any of its prefixes, the 
corresponding output from c is a trace prefix of its inputs in c. 

Let c be a channel, M a marking, the balanced language of TV w.r.t. c 
and M is 

BL{c, M) = {0 G T*\yv G T* , V ^ 0 ^ VF(c, v) A M{c) o W{u, c)} 

We then define the “hiding” of a channel c in a net TV, denoted N \ c and 
then compare its firing sequences with the ones of the complete net. 

Let be a net TV = {A, I, C, T, IF, 1), the hiding of c in TV is the net 
N\c={A,I,C-{c},T,W\c,l) 

where IF \ c is the restriction of the flow mapping IF to the set ((C — {c}) x 
T)U(Tx (C-{c})). 

We denote by TIL \ c the restriction of a marking TIL to C — {c}. The firing 
language of TV is the intersection of the firing language of TV \ c and the balanced 
language of TV w.r.t. c, with the hypothesis that ‘cfT c* = 0, i.e. no transition 
is both an input and an output for c. 

Proposition 1. (Balanced Language). 

If c is a channel such that ‘cfT c* = 0, then: 



FS{N, TIL) = FS{N \c,M\c)n BL{c, TIL) 
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4.3 Relations between Inputs and Outputs in Balanced Languages 

We find interesting for understanding TCNets to characterise algebraically the 
relationships between the projections of a balanced language on the sets *c and 
c* of input and output transitions, i.e. BL{c, M)/*c and BL{c, M) /c* . The fol- 
lowing lemma may seem verbose, but facilitates the next sections. 

Lemma 2. //*cnc* = 0, then 

1. If0€ {•cfand 9' G {c*)*then 66' G BL{c, M)^W{c,6') 0 M{c)oW{6,c) 

2. If e & Cc)* then {6' G (c*)*,6»6»' G BL{c,M)} = W{c,-)-^{Pref{M{c) o 
W(0,c))) 

3. If 6 e (c*)* then {6' G {•c)*,6'6 G BL{c,M)} = W{-,c)~^{{W{c,6) o 
{A/^i))-M{c)) 

I 6& BL{c,M) {9/'c){e/c*) G BL{c,M) 

We associate to any sequence of input transitions 9, the set En{c, 6, M) of 
sequences of output transitions 6' such that 66' G BL{c,M), and which we call 
enabled after 6: 

En{c,-,M) : (’c)* — > p((c*)*) with En{c,9,M) = {9' G (c*)*,66' G 
BL(c, M)} 

In the same way we can define a requirement mapping : 

Rq{c,-,M) : (c*)* — > p((*c)*) with Rq{c,6,M) = {6' G Cc)*,6'9 G 
BL(c, M)}. 

A natural question that arises is: if L C (*c)* is a recognisable language, at 
which conditions is En{c, L, M) C (c*)* a recognisable language ? The propo- 
sition below gives a sufficient condition, based on the image by lT(_,c) of the 
iterative factors of L. The proposition relies on Ochmanski’s theorem and the 
following fact: 

If L is a rational language, L C T*, and ip : T* — > (A/ «/) a monoid 
morphism, then <p{L) is co-rational if and only if the image of any iterative 
factor of L by is connected in (A/ «/). 

Proposition 2. (Rationality of En{c, L, M)). 

If L C (*c)* is a rational language such that for each iterative factor E of L, 
W{-,c){E) C (A/ «/) is connected, then En{c, L, M) C (c*)* is rational. 

Note that this condition is not necessary as shown in the example in figure 
2.d of section 5. 

5 Bounded Petri Nets Communicating through Trace 
Channels 

Communicating Finite State Machines use Fifo channels to exchange messages, 
and are a typical case study for Fifo nets. Their extension to trace channels is 
natural. We only study communication through a single channel, and throughout 
this section we consider a TCNet N = (A, I, C, T, W, 1) and a channel c G C such 
that N\c has two disjoint connected components Ni = (A, I, Ci, R, Wi, k),i = 
1, 2, such that *c C Ti and c* C T 2 - If M is a marking of N, we denote by Mi 
and M 2 its restrictions to Ci and C 2 . 
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5.1 Components Languages 

We suppose that the nets {Ni, Mi) are bounded, and so, FS{Ni,Mi),i = 1, 2, are 
rational languages in T* . The problem we address first is to find sufficient condi- 
tions on the net such as to ensure the rationality of the projections FS{N, M) /Ti, 
i = 1,2. As far as we have FS{N, M)/Ti = FS{Ni, Mi), the question is : when 
is FS{N, M) /T 2 rational? The proposition below relies on proposition 2, and 
considers the image by the input flow function W(-,c) of the iterative factors 
of FS{Ni,Mi). 

Proposition 3. (Rationality of Projected Languages). 

If the sets FS{Ni, Mi), i = 1,2, are rational languages, and if for every iter- 
ative factor F of FS{Ni, Ml) , W{-,c){F) is connected, then FS{N,M)/Ti,i = 
1,2. are rational languages. 

Note that the condition of the proposition is valid for some initial marking 
of c iff it is valid for any initial marking of c. 

5.2 Empty Channel Languages 

Emptiness of the communication channel is an important property, used in par- 
ticular in the definition of half-duplex systems. We focus now on the firing se- 
quences which preserve the emptiness. For this purpose, we define the empty 
channel language of {N, M) as Lc,e = {6* € FS{N, M), W(Q, c) = W(c, 6)}. If 
we suppose that M{c) = e, we have 

= {9 G FS{N, M),M[9 > M' ^ M'{c) = e}. 

With the hypothesis that FS{N, M)/Ti, i= 1,2 are rational languages, i.e. a 
property ensured by the previous proposition, and using the same type of argu- 
ments, we give a sufficient condition to ensure the rationality of the projections 
Lc,e/T\ and Lc,e/T 2 - The same type of argument as in the previous proposition 
are used, but in this case we consider also the iterative factors of the receiving 
net language. 

Proposition 4. Let Li = FS{N,M)/Ti,i = 1,2 be rational, then if for every 
iterative factor F of Li, W{-,c){F) is connected, and if for every iterative factor 
F of L 2 , W(c,- )(F) is connected, then Lc,e/Ti^i = 1)2, are rational languages. 

The connectivity of W(_, c)(F) and W(c,- )(F) used in the two propositions 
above depends on the relation I. If I is too large, the conditions for the rationality 
of the languages of the component nets are not verified. More generally in section 
6, we will show the existence of maximal independences on channels alphabets 
w.r.t. the rationality of the firing language of a net. 

5.3 Examples 

The figure 2 shows four TCNets, each one composed of a pair of disjoint compo- 
nent nets, denoted Ni and N 2 , which communicate through a trace channel. The 
nets in 2. a and 2.b have bounded components, and the proposition 3. applies. 
We can ensure the rationality of the projected behaviours. 
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In the net 2. a, we have FS{Ni) = Pref{{tit2)*), then tit2 is the only iterative 
factor of the input language, and we need to ensure that W{- , c){tit2) = [abcd\i 
is connected while W{ti,c),i = 1, 2 do not need to be connected. This is the case 
for I = {(a, 5), {b,a), (a,c), (c,a), (b,c), (c,b)}, and the projected behaviours on 
T2 are FS{N)/T2 = Pref{{Perm{t[.t2-t'^).t'^)*) n FS{N2) (the iterative factor 
is any permutation of the sequence followed by 

In the net 2.b, FS{Ni) = Pref{t\t2) has two iterative factors, t\ and t2, and 
the proposition applies only if IT(ti, c), z = 1,2 are connected, i.e {(a, 5), (c, d)} C 
D. If I = {{a, b} X {c,d})U{{c,d} x {a, 6}), then FS{N)/T2 = Pref {{t[.t'2.)*\\\ 
{t'^.t'4)*) n FS{N2) which can be expressed as a rational expression (the shuffle 
of rational languages is rational ) . 




The net 2.c is a counter-example to the rationality of FS{Ni)/*c, FS{Ni)/*c 
= {tit2,n G H}, and {W{ 9 ,c )\9 G FS{N)} = {[a"6”]/,n G H}, which cannot 
be rational, independently from /.If alb, FS{N)/T2 = {i^ G T|, n 

FS{N2). 

The net 2.d. shows that the condition of the proposition 3 is not necessary: If 
a and b are independent from c and d, with aDb and cDd, then W{-, c){tit2) = 
[abcd\i is not connected but the induced behaviour on T2 is rational : FS{N)/T2 
= Pref{{t[t'2)*) n FS{N2). 
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6 Concurrent Semantics 

6.1 Modeling by Automata with Concurrency Relations 

We define the concurrent semantics for TCNets, by deterministic automata 
with concurrency relations [DK]. For each TCNet N, we define an automaton 
Aut{N), and we show that Aut{N) is stably concurrent. This type of automata 
has many advantages: 

— Equivalence classes of sequential behaviours correspond to maximally con- 
current firable partial orders of transitions [BDK][Vo]. We do not need to 
define explicitly firing rules for steps of transitions or partial words of tran- 
sitions. 

— If the net is bounded, the automaton is finite, and co-rationality and recog- 
nisability are related for the sub-languages of the automaton [Dr] . 

— A simulation relation between TCNets can be defined by means of automata 
morphisms, which take concurrency of behaviours into account. These mor- 
phisms relate nets with the same structure but different dependence relations 
on the tokens alphabet, and particular dependences can be underscored in 
this framework. 

In this section we need to distinguish the transitions of the net which coincides 
with the events of the automaton, from the transitions of the automaton, i.e. 
triples composed by a source marking, an event and a target marking. The 
concurrency relations on the events of the automaton, denoted ||m, depend 
on the marking M where the events are enabled and on the independence relation 

I. More precisely two events are concurrent at a marking M iff they are both 
enabled at M, and they neither both output dependent letters from the same 
channel, nor both input dependent letters in the same channel. This is formalised 
in the item 4 of the definition below. 

The automaton of a TCNet N = {A, I,C,T,W,l), denoted Aut{N), is 
the tuple 

Aut{N) = {Q,E,0,{\\m}m(^q) where 

1. Q = {M : C — > (A/ « /)} is the set of states, coinciding with the 
markings of N. 

2. E = T, the set of events coincides with the set of transitions of N. 

3. OCQxExQis the transition set , defined by (M, t, M') € 6*4=^ M\t > 
M'. 

4. II mC E X E, defined by t ||m t' 4=^ M[t > f\ M[t' > f\ tiEt', is the 
concurrency relation. The auxiliary relation on events Ie does not rely 
on M : 

tiEt' 

Vc G C, a{W{c, t)) X a{W{c, t')) n D = 0 a{W{t, c)) x a{W{t' , c) n D = 0 
We recall that D is the complement of / in A x A. 

Note that if the pre and post sets of two transitions are disjoint, they are 
related by Ie' t* n = 0 /\* t n* = 0 =^tlEt' . 
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Note also that for Fifo Nets, the two properties are equivalent, and in that 
case two transitions can be concurrent only if they do not share some input or 
output channel: 1 = 0 (t* n = 0 /\* t n* = 0 tiEt') 

To satisfy the definition of automata with concurrency relations, we have to 
verify the so-called (forward) diamond property, which ensures that the order 
in which we fire concurrent events is irrelevant w.r.t. the obtained marking. 

Note that the proofs of the three lemmas below rely on the fact that the 
dependence relation D is reflexive, and for that reason this construction cannot 
be used to give a concurrent semantics to Coloured Nets. We shall overcome this 
restriction in the section 7.4. 

Lemma 3. (Diamond Property). 

^ 3M', > M' /\M[t'.t > M' 

Note that the reverse implication (3M', > M' /\M[t' .t > M')=> 

t \\m t' does not hold; the left hand side may be due to W{c,t) = W{c,t') or 
W{t,c) = W{t',c) for some c £ C, and we do not consider in that case the 
transitions to be concurrent. 



6.2 Stability Property 

The automaton Aut{N) is in fact a deterministic stably concurrent automa- 
ton because it is deterministic (obvious from definitions) and it satisfies the 
following cube and inverse cube properties [DK] [Dr] . 

Lemma 4. (Cube Property). 

Let be M & Q, and three events tiC2,ts such that t\ \\m ^ 2 ; ^2 ||m and 
ti II Ms h, then C \\m h, ^2 ||mi h, and h ||m3 ^ 2 , where M[ti > Mi,i = 1,2,3. 



Lemma 5. (Inverse Cube Property). 

Let be M G Q, and three events ti,t2,t^ such that t\ \\m ta, ^2 ||mi t^, and 
ti II Ms t2, then ti II M t2, t2 II M h, and C ||m 2 ^3 where {M[ti > Mi, i= 1, 2, 3). 

A stably concurrent automaton being characterised by the cube and inverse 
cube properties, the following proposition resumes the three lemmas above: 

Proposition 5. The automaton Aut{N) of a TCNet N is a deterministic 
stably concurrent automaton. 



6.3 Computations Sequences and Concurrent Behaviours 

The difference between firing sequences and computation sequences is that the 
latter record the intermediate markings. A computation sequence is either 
the empty one (noted e) or a finite sequence u = ui,U 2 ,..Un, where Ui = 
(Mi_i, ti, Mi), i = l,n. Mq and are the domain dom{u) and codomain cod{u) 
of u. The sequence evseq{u) = tit 2 ..tn is a firing sequence of FS{N,Mq). The 
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set of computation sequences of Aut{N) is denoted CS{N), and is a par- 
tial monoid, where the concatenation of u and v is defined iff dom{v) = cod{u). 
We define on the monoid of computation sequences a congruence denoted 
generated by the permutation of concurrent transitions: 



(M, ti, t2, M') ~ (M, t2, M2){M2, ti, M') ti \\m ^2 

extended to a congruence w.r.t. the partial concatenation. Note that two equiv- 
alent sequences have the same domain, codomain and event sets. 

The set of concurrent behaviours is the quotient Beh{N) = CS{N)/ ~ 
U{0}, where 0 stands for the undefined concatenation and is absorbing. As traces 
in standard trace monoids, the concurrent behaviours in Beh(N) can be repre- 
sented by partial words of transitions, using the same construction. Note that 
we do not consider infinite sequences or computations in the present work. 

In the original work [FB] , we defined a concurrent semantics of TCNets based 
on steps and partial words firing rules, following [Vo]. The one presented here 
yields maximally concurrent behaviours, while the previous one was a “weak” 
semantics, where any increment of the partial order between events in a be- 
haviour yields another admissible behaviour, allowing the firing of the partial 
word t t' at a, marking M where the concurrent step t co t' is enabled. The 
two semantics coincide on maximal concurrency. 

Marked nets and automata with initial state. 

If we consider a marked TCNet {N, Mq), then the automaton with initial 
state Aut{N, Mo)is the tuple 

Aut{N, Mo) = {Q, E, 0, {\\M}MeQ, Mq) 

where the set of states is Q = AIq), and the other components are the same 
as in Aut{N). 

Note that this automaton has the same cube and inverse cube properties 
as Aut{N). We denote by CS{N, Mq) and Beh{N, Mq) the sets of computa- 
tion sequences and concurrent behaviours of Aut(N, Mq), i.e. the computation 
sequences (and concurrent behaviours) of Aut{N) having as domain the initial 
state Mq. 

7 Prom Fifo Nets to Simple Coloured Nets 

We explicitate in this section the partial order of semantics induced by 
the different independence relations on a single net structure. We relate in this 
section TCNets with the same alphabets, sets of channels and transitions that 
differ only by the independence relations and flow functions. For simplicity, we 
do not work up to nets isomorphisms, in particular transitions or channels 
renamings (they do not constitute a drawback here, but should be introduced 
to define operators and observations on TCNets). 

The figure 3 below illustrates the main aspects of the section. It represents 
a trace net N where the independence relation is left undefined, and the spec- 
trum of semantics on the net structure of N , induced by the inclusion order on 
independence relations. 
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For the relation / = {{a,c),{c,a),{b,c),{c,b),{b,d),{d,b)}, the net is 
bounded, while for /' = {(a, c), (c, a), (a, d), (d, a), (6, c), (c, 6), (6, d), (d, 6)} it is 
unbounded. In this case for all independences / for which the trace W{ti.t 2 , c) = 
[abed] I is connected, the net is bounded, while the boundedness is lost when 
W{ti.t 2 , c) is disconnected: in the former case, all transitions t[, t' 2 , and tg have 
to fire once between two occurrences of t\, inducing a bound on the markings 
of the channel output of t\ and t 2 - Note the similarity between this particular 
situation and the properties worked out in the proposition 2 and section 5 about 
bounded nets communicating through trace channels. 

In the following, we first define the quotient net N/I' obtained from the net 
N by replacing its independence relation / by a relation I' such that I C I' . 
We show that there is a concurrent automata morphism between Aut{N) and 
Aut{N/ 1'). The relation between N and N' = N/I' is a partial order denoted 
N\AN' , defined on sets of nets with the same underlying structure, having a 
set of Fifo Nets as minimal elements, and with a unique maximal element, a 
quotient N / Im, where Im is the maximal independence relation. 

In this section, we consider TCNets with disjoint channels alphabets. We 
could define formally a set of concurrent alphabets {{A^ Ic),c G C} with Ac = 
a(c), yielding monoids (^c/ ~/c)- For simplicity and readability, we use {A, I) 
and {A/ «/), and thus we take I C I' as a shortcut for Ic C Vc G C. Proofs 
do not suffer from this simplification, all traces being “local” to a channel, and 
we gain in readability. 



7.1 Incrementing Independence 

Starting from the definition of a Fifo Net N = {A^ 0, C, T, IF, 1), we can define on 
N a TCNet semantics associated to an independence relation / on A, considering 
the arcs labels up to the monoid congruence «/, and using the firing rules in 
{Aj «/). More generally, let be / and V two independence relations on A, with 
I I' , there is a canonical monoid morphism 



ipij, : {A/ «/) — > {A/ «//) 

which maps {A/ «/) on {A/ «//) defined by = [u]/'. We denote 

by oj and — / the trace concatenation and residue in {A/ «/). A net N = 
(A, I, C, T, IF, 1) can be quotiented by the relation I' as follows: 

Let be IV = (A, /, C, T, IF, l)a TCNet, and a independence relation I' on A 
such that I C the quotient N/I' is the trace net N/I' = (A, C, T, IF', I) 
where IF' = ^pij' o IF. 

For convenience we denote by s// the image (piji{s) G (A/ «//) of a trace 
s G{A/ «/). 

The main property is that the firing sequences of a net N are preserved in the 
quotient, N/I' and the images of its reachable markings by <fij' are reachable 
markings of N/I' . 

Lemma 6. Let be N = (A, 7, C, T, IF, 1) a TCNet, and I C I' , then 

1. FS{N,M) C FS{N/I',Mr) 

2. ^i,r{R{N,M)) C R{N/I',Mr). 
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The relation between Aut{N) and Aut{N / 1') is a morphism of concurrent 
automata, following the definition of [DK]. Such morphisms ensure that the 
concurrent behaviours of the source net can be executed in the target system in 
a more (or at least equal) concurrent way. 

A morphism between the automata Aut = {QtE^O,{\\m}q:AIq) and 
Aut' = {Q' , E' , O' , {\\m}q',Mq) is a pair (tt, rj) : Aut — > Aut' where 

7T : Q — > Q' ,rj : E — > E' , such that: 

1. (M, t, M') £ O ( 7 t(M), 77 (f), 7 t(M')) G O' 

2. 7t(Mo) = M|( 

3. t \\m t' r]{t) ll^(M) 

Proposition 6. Let {N,Mq) be a marked TCNet, with N = {A, I,C,T,W,l), 
and I C I', the pair {(piji,idE) is an automata morphism 

{ipij',idE) : Aut{N,Mo) — > Aut{N/ 1' , Moi>) 

Increasing the independence on letters preserves the firing sequences and may 
enlarge their equivalence classes w.r.t. the congruence incrementing concur- 
rency. Viewing behaviours as partial words of transitions, we have the relation 
Beh{N) C Aug{Beh{N / 1')), where Aug operates on its argument by increment- 
ing the order relations of the included partial words. 

The morphism may also introduce new transitions, i.e. transitions which are 
not the image (M// , t, Mj,) G 6>' of a transition (M, t, M') G O. The situation is 
specified as follows: 

3M G R{N,Mo),t £ T : Mr[t > f\ (VM' g R{N,Mo),Mi' = Mj, 

~^M [t >). 

It seems that the ongoing study of the different situations induced by an 
increment of independence should yield interesting properties and a new insight 
on net structures. 

7.2 The Independence Partial Order 

As mentioned previously, the maximal independence for a trace alphabet is Im = 
{Ax A — A(A)}, more precisely = Ucgc(q:(c) x a(c) — A(a(c))). We say that 
two TCNets N and N' are structure equivalent , denoted N ^ N' , iff they 
have the same quotient by the relation Im, i.e. N/Im = N' /Im- The relation ^ 
is obviously transitive and symmetric. We denote by [[IV]] the class of TCNets 
equivalent to N. 

The independence partial order ([[IV]], E) is composed of pairs N N' 
such that N' is a quotient N/E for some relation /' . It is a transitive relation on 
TCNets, due to the following property : if IV = (A, I, C, T, W, 1) and I I' I", 
then N/I" = {N/ 1') / 1" . Antisymmetry follows from the one of C. The formal 
definitions are as follows: 

Let be two TCNets N = {A, I, C, T, W, 1) and N' = (A, E, C, T, W, 1) then 

1 . NQN' I CE /\ N' = N/E. 

2 . N ^ N' N/Im = N' /Im- 

3 . [[N]] = {N',N ^ N'} 
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Lemma 7. The equivalence is the the symmetric transitive closure of Q. 

For any Fifo Net N, [[-/V]] contains all the nets which can deduced from N by 
permutations on the arcs labels W{x,y) G A*, and these are the minimal ele- 
ments of ([[-/V]], C). The first result of the definition of ([[-/V]], E) is the existence 
of particular independences w.r.t. different properties, minimal independences 
for liveness or reachability properties, maximal ones for boundedness as shown 
in the next section. 



7.3 Critical Independences w.r.t. Boundedness 

We consider boundedness property w.r.t. the independence order, and the lemma 
below states that if JV' is bounded and JV O N', then N is bounded too. 

Lemma 8. Let N = {A, I, C, T, W, l)be a TCNet, and I C if (N/ 1' , Moji) is 

hounded, then (TV, Mq) is bounded. 

A immediate consequence is that if N is unbounded and N Q N' , then N' is 
unbounded. The lemma above induces the existence of critical independences, 
i.e. maximal w.r.t. the boundedness of a net. 

Proposition 7. (Maximal Independences w.r.t. Boundedness) 

If N = {A,I,C,T,W,l)is bounded, and N/Im is not hounded, then we can 
find a (non unique) relation I' , with I I' such that 

1. N/I' is bounded. 

2. if V C I" , then N/I" is unbounded. 

We can relate this result to the propositions of the section 5, in which the 
sufficient conditions for the rationality of the components languages yield also 
maximal independence relations, those ensuring the connectedness of specific 
traces of {A/ «/). 



7.4 Simple Coloured Nets 

The TCNet N/Im has a concurrent semantics in terms of stably concurrent 
automata as defined previously, but this definition forbids concurrent firing of 
transitions which output a common letter in the same channel. In particular 
it forbids autoconcurrency of the net transitions. For that reason we have to 
define specific firing rules and concurrent semantics for a coloured net, and then 
introduce it in the framework of the present section. 

A Simple Coloured Net N = {A, C, T, W, 1), has the weight function and the 
markings valued as multisets on A : W : C x TUT x C — > , M : C — > 

The firing rules are defined as follows: 

1. M[t>^ Vc G C, VF(c, t)) < M{c) 

2. M[t > M' ^ M[t> }\ Vc, M'(c) = (M(c) - W{c, t)) + W{t, c) 
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where the relation < and operators — and + are the standard ones on mul- 
tisets, i.e. defined componentwise. 

The main difference between the automaton with concurrency relations 
Autco{N) defined for a Coloured Nets and the ones of TCNets lies in the con- 
currency relation. Due to this difference, autoconcurrent firings of a transition 
are now allowed, and the new definition invalidates both the cube and inverse 
cube properties. 

Autco{N) = {Q,E,0,{\\m}m&q) where 

1. Q = {M : C — > is the set of states, 

2. E = T, the set of events coincides with the set of transitions of N. 

3. 0 — >C QxExQ is the transition set, defined by (M, t, M') G M[t > 

M'. 

4. II mC E X E, defined by t ||m t' Vc S C, Vb(c, t) + Vb(c, t') < M{c). 

The diamond property of Autco(N) is obvious. 

Let be u G {Aj «/), we denote by [u] G the multiset such that Va G A, 

M(a) = \u\a- 

To any TCNet, we associate a unique Coloured Net by replacing the fiow 
function by its multisets value. 

Let be TV = (g1, I, C, T, W, 1) a TCNet, the coloured net associated to N, 
is Nco = {A, C, T, [W], 1) where [VL] (a;, y) = [W (x,y)] for (x,y) G C xTUT x C. 

Lemma 9. Let be N = {A, I, C, T, IT, 1) a TCNet then the pair ([_], ids) is an 
automata morphism 

{[-],idE) ■ Aut{N,M) — > Autco{Nco, [M]) 

This last section has completed the independence partial order ([[fV]], C) by 
the Simple Coloured Net Nco- 



8 Conclusion 



A words 
Fifo Nets 




The diagram above shows the inclusions between four classes of Nets, related 
to the inclusions of the underlying markings and edge labels sets. In the present 
paper, we have presented a framework introducing the two arrows on the left. 
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Although traces can be viewed as particular partial words, an embedding mor- 
phism w.r.t. concatenation has not been defined yet, and the arrow on the right 
is ongoing work. 

Trace Channel Nets seem to be a ’sensible’ generalisation of two existing and 
until now unrelated classes of Petri Nets. They induce Net Theory to follow the 
development of Formal Language Theory from words languages to traces and to 
partial words languages. Even if they inheritate their Turing power from Fifo 
Nets, different tractable classes of interesting problems arise from their defini- 
tion, and hopefully they will result in specification and optimisation techniques 
for systems of communicating processes. In particular the use of trace channels 
in CFSMs should result useful in protocols specifications and proofs, to be ap- 
plied for Partial Order Connections and Protocols. They seem well adapted to 
represent concurrent systems where data are structured by order or dependence 
relations, and that is the case when data are themselves behaviours specifi- 
cations. Notions of observability, equivalence, refinement and implementation, 
compositionality or modularity should be developed for a practical use of the 
model, and are the topic of ongoing work. 
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Abstract. In this paper we study properties of an abstract and (as 
we hope) a uniform frame for Petri net models, which enables us to 
generalise algebra as well as enabling rule of Petri nets. Our approach of 
such a frame is based on using partial groupoids in Petri nets. Properties 
of Petri nets constructed in this manner are investigated through related 
labelled transition systems. In particular, we investigate the relationships 
between properties of partial groupoids used in Petri nets and properties 
of transition systems crucial for the existence of the state equation and 
linear algebraic techniques. We show that partial groupoids embeddable 
into Abelian groups play an important role in preserving these properties. 



1 Introduction 

Petri nets are one of the first well established and widely used non-interleaving 
models of concurrent systems. Their origin arises from Carl Adam Petri’s disser- 
tation B and the later concept of vector addition systems ^9- Petri nets are 
popular and successfully used in many practical areas (see e.g. Vol. III). 

Briefly, a place/transition net (a p/t net), which is a basic version of Petri 
nets, is given by a set of places representing system components, a set of tran- 
sitions representing a set of atomic actions of the system, and their relationship 
given by an input and output function associating with each transition a multi- 
set over the set of places ^3^]. A state of a net is a multi-set over the set 
of places called a marking. An occurrence of a transition removes/ adds tokens 
from/to the marking according to the input/output function, respectively. A 
transition is enabled to occur iff in every place there are enough tokens to fire. 
Labelled transition systems (shortly transition systems) ^3 represent the basic 
interleaving model of concurrency ^3- They may be described as directed graphs 
whose nodes are system states and whose arcs are labelled by elements from a 
set of labels representing a set of atomic actions of the system. For a Petri net, 

* This work is a part of the joint research project ”DFG-Forschergruppe Petrinetz- 
Technologie” between H. Weber (Coordinator), H. Ehrig (both from Technical Uni- 
versity Berlin) and W. Reisig (Humboldt University Berlin) supported by the Ger- 
man Research Council (DFG). Part of this work was done during the author’s stay at 
Institute of Control Theory and Robotics, Slovak Academy of Sciences, and BRIGS 
(Basic Research in Computer Science, Centre of the Danish National Research Foun- 
dation) Department of Computer Science, University of Aarhus. 

S. Donatelli, J. Kleijn (Eds.): ICATPN’99, LNCS 1639, pp. 324^^^^ 1999. 

@ Springer-Verlag Berlin Heidelberg 1999 
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the related transition system, called sequential case graph, is the graph whose 
nodes are markings, and whose arcs are determined by possible occurrences of 
net transitions and labelled by these transitions. 

A lot of effort has been put into the abstraction and extensions of Petri nets. 
In principle, we can recognise at least two kinds of Petri net extensions. 

The first kind is formed by extensions which have the same expressiveness 
as p/t nets but enable us a more comprehensive description of systems - these 
extensions may be characterised as compressions of p/t nets. A typical example 
of this kind are nets commonly called high level nets which introduce types 
of tokens. Another direction is adding hierarchy to Petri nets 

The second kind of extensions is characterised by an effort to have a more 
expressive model in comparison with p/t nets - these extensions might be called 
behavioural extensions of p/t nets. Again, behavioural extensions can be divided 
into at least two types. Extensions of the first type are based on relaxing the en- 
abling rule. Here belong, among others, Petri nets with inhibitor arcs that 

allow testing of zero markings, or contextual Petri nets ^3, but also Controlled 
Petri nets ^3, which are widely used in control of discrete event systems. The 
second type is characterised by generalising underlying algebra and extensions 
of this type are often characterised by an ambition to serve as an abstract and 
uniform frame for Petri net based models. Here we have to mention seminal work 
some recent model of Abstract Petri nets introduced in but also series 
of papers Another representants of extensions that use a different un- 

derlying algebra than p/t nets are extensions motivated by particular practical 
demands, e.g continuous and hybrid Petri nets 

Here, to give a simple and straightforward motivation of generalising under- 
lying algebra of Petri nets, let us take the transition system S with three states 
{si, S 2 , S 3 } and just one label, he just one atomic action t, given as follows: 



Si 




S2 ^ S3 



Clearly, there does not exist any p/t net whose sequential case graph is (isomor- 
phic to) the given transition system S, because for an arbitrary set of places P all 
nonzero elements of the commutative monoid of multi-sets over P with multi-set 
addition have infinite order. In other words, the system S cannot be modelled 
by any p/t net with just one transition. To model this system by a Petri net, it 
is obvious to use a labelled Petri ne| with at least two transitions labelled by 
the same label. However, using a cyclic group of order 3, such system would be 
modelled by an unlabelled Petri net with just one transition. Considering more 
complex systems with cyclic behaviour, e.g. transition systems with many cycles 
of different order, where each cycle is labelled using just one label, the num- 
ber of necessary transitions in a labelled Petri net model may combinatorially 
grow with respect to the number of labels in the modelled system. To avoid this 
undesirable growth, it would suffice to use cyclic groups of the related orders. 



^ i. e. a Petri net whose transitions are labelled by elements of a set of labels 
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Motivated by theoretical as well as practical demands, such as enabling an 
easy creation of new net models, or avoiding creation of similar concepts, tech- 
niques and results again and again for any particular extension, there is a real 
need to develop a sufficiently abstract and general frame that will capture the 
common spirit of Petri net models. However, the existing candidates for such a 
uniform frame of Petri net description, which suggest sufficiently abstract and 
general algebraic constructions, as for instance Abstract Petri nets from 
do not deal with relaxing of enabling rule. Therefore, in we have defined 
an abstract and uniform frame for various classes of Petri nets, which allows to 
generalise Petri net algebra as well as to work with a flexible enabling rule. Our 
approach of such a frame has been based on using partial algebra in Petri nets. 

Given a class of Petri nets, the realisation problem, i.t. the question which 
kind of transition systems may be modelled by Petri nets from this class, has 
been studied deeply. There are exhaustive results for elementary net systems 
the problem is solved for p/t nets in the setting of step transition 
systems in in special form also for Abstract Petri nets (including p/t 

nets) in to mention only the most significant results. A very interesting 

recent framework, which characterises vector addition systems in a similar way 
as this paper, is 

Having a general frame that allows to define numerous Petri net classes, 
the dual question may be of interest. Namely, taking a property of transition 
systems, one may ask which class of Petri nets represents the class of transition 
systems with this property. 

For illustration, the main advantages of p/t nets consist of the fact that they 
grant a well arranged graphical expression of the system as well as a simple 
analytical model in the form of a linear algebraic system called state equation 
which enables us to overcome sequentiality of computations. As a consequence, 
p/t nets offer linear algebraic analytical methods, such as place and transition 
invariants. The advantage of this simple analytical expression of p/t nets is due 
to following important properties of their sequential case graphs: 



— The sequential case graphs of p/t nets are deterministic transition systems, 
i.e. transition systems, where for every state s and every label t there is 
at most one state s' such that there exists an arc from state s to state s' 
labelled by the label t; 

— The sequential case graphs of p/t nets are commutative transition systems, 
i.e. transition systems, where for each pair of strings of labels with the same 
number of occurrences of single labels we have: if there exist paths from a 
common source state labelled by these strings then they lead to the common 
target stat^ Commutativity is just the property that enables us to overcome 
sequentiality of computations, because it allows to use multi-sets of labels in 
a deterministic way. 

— In addition, (the symmetric closures of) the sequential case graphs of p/t 
nets are consensual commutative transition systems, i.e. commutative tran- 
sition systems, where for every two multi-sets of labels holds: if they change 

^ Hence, every commutative labelled transition system is deterministic. 
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a common source state to a common target state, then they change every 
common source state in which both may occur to a common target state. 
Moreover, this ‘consensus’ is transitive and closed under addition and sub- 
traction of multi-sets. Thus, consensuality is just the property that enables 
us to speak about changes caused by multi-sets independently from states. 

This may lead to an interesting question: Which properties of partial algebra 
used in extended Petri nets correspond to the properties of related transition 
systems crucial for the existence of the state equation and linear algebraic tech- 
niques, j.e. to the determinism, commutativity and consensuality of sequential 
case graphs? In ^3 we have proved that the class of reachable consensual com- 
mutative transition systems coincides with the class of sequential case graphs 
of marked Petri nets whose underlying partial groupoid is embeddable into an 
Abelian group. However, one can easily find some non-reachable consensual com- 
mutative transition system for which there does not exist any Petri net with un- 
derlying algebra embeddable into an Abelian group whose sequential case graph 
is isomorphic with the given non-reachable transition system. So, in this paper 
we extend results from proving that the class of sequential case graphs of 
unmarked Petri nets with partial groupoid embeddable into an Abelian group 
coincides with the class of transition systems whose symmetric closure is com- 
mutative and consensual. 

2 Petri Nets - Basic Definitions 

Before defining of Petri nets, let us first define some notation. We use Z to denote 
integers, Z+ to denote positive integers, and N to denote nonnegative integers. 
Moreover, we also shortly write Z to denote the infinite cyclic group of integers 
with addition (Z, -I-), and N to denote the commutative monoid of nonnegative 
integers with addition (N, -I-). Given two arbitrary sets, say A and B, symbol 
denotes the set of all functions from A to B. Given a function / from A 
to B and a subset C of the set A we write /|c to denote the restriction of the 
function / on the set C. As usual, symbol 2^ denotes the power set {i.e. the set 
of all subsets) of the set A. To denote the set of all multi-sets over a set A with 
multi-set addition we write -I-) or shortly To denote the set of all finite 
multi-sets over a set A with multi-set addition, i.e. the free commutative monoid 
over a set A, we write -I-|n^. xN;^. )■ Thus, = {b\b G A \ Ab\ G N}, 

where At, = {a \ a G A A b{a) 0} is a subset of the set A mapped by function 
b G to nonzero integers, i.e. At, is the set of elements from A that are 
contained (occur at least once) in the multi-set b. Glearly, xn^ ) 

J fin fin 

is a submonoid of the monoid (N"^,-|-). Similarly, we use (Z^,+) or shortly 
lA to denote the Abelian group of integer vectors over a set A with element 
by element addition. To denote the free Abelian group over a set A we write 
+lz^,„xz^,„)- Thus, z^.„ = {b\bG%^ A \Ab\ G N}, where A is given as 
previously. Evidently, the free Abelian group (Zj^^, + \zj. xzf. ) is a subgroup of 
Abelian group (Z"^^, -I-). As usual, we write only -k) or shortly instead 
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of rather complicated +|n^. xn^. )l (Z^-^,+) or shortly instead 

of {Z^-^,+\^A xz^. )• Notice that if the set A is finite, then and 



lA = As one may see from the previous notation, we often use the symbol 
+ in the paper universally to denote a binary operation, he. we use the symbol 
+ for different operations. 

According to the previous section, in algebraic form Petri nets 
(place/transition nets) are defined as follows: 



Definition 1. A place/transition net (shortly p/t net) is an ordered tuple Af = 
{P, T, /, O), where P and T are nonempty distinct sets of places and transitions, 
and 1,0 : T ^ are input and output functions. A marked p/t net is a pair 
A4JV = {JV, Mq), where N is a p/t net; and Mq G is an initial marking. 



Definition 2. A state of a p/t net called marking and denoted hy M is a multi- 
set over P, i.e. an element of . The dynamics of the net is expressed by the 
occurrence (firing) of enabled transitions. A transition t G T is enabled to occur 
in a marking M G iff^P G P : M{p) > I{t){p), i.e. iff3X G : X -\-I{t) = 
M . Occurrence of an enabled transition t G T in a marking M then leads to the 
new marking M' given by M' = M + Oft) — I{t) i.e. to M' = A + Oft) for the 
X G such that X 1 (t) = M . 

At this point we recall the definition of labelled transition systems 

Definition 3. A labelled transition system (shortly transition system) is an or- 
dered tuple S = {S,L , — >), where S is a set of states, L is a set of labels and 
— > CSxLxS is a transition relation. 

The fact that (s, a, s') G — > is written as s — ^ s'. Denoting by L* the 
monoid of all finite strings of labels from L with concatenation, it is obvious to 
extend the transition relation to string transition relation — >*C S x L* x S as 
follows: {s,q, s') G — whenever there exists a, possibly empty, string of labels 
q = a\...an such that s si • • • s' . To denote (s, q, s') G — we simply 
write s — s'. Clearly, s — s' — s" s s" . As usual, we also 
write s — ^ and s — to denote that there exists s G S such that s — ^ s' 
and s — s' , respectively. A state s' is said to be reachable from a state s, iff 
there exists a string of labels q such that s — s' . Given a state s G S, the 
set of all states reachable from s is denoted by {s — !•*}. A transition system 
is said to be reachable iff every s' G S is reachable from a fixed state s G S 
(i.e. 3s e S' : {s — >*} = S). A transition system S — {S,L , — >) is called 
deterministic iff Vs — ^ s', s — ^ s" : s' = s". As usual, we say that a state s G S 
is isolated iff there exists no a G L and no s' G S such that s — ^ s' V s' — ^ s. 

We say that two transition systems are (transitionally) equivalent iff they 
differ only in some isolated states and unused labels, i.e. iff after removing some 
isolated states and unused labels they are isomorphic. Formally we have: 

Definition 4. Given any pair of transition systems S = {S, L, — >) and S' = 
{S' , L' , — !■ ') we say that S and S' are (transitionally) equivalent iff there exists: 
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- 51 C S', Li C L : — Si X Li X Si 

- S[C S', L[ CL' : — >' CS[x L'l x SJ 

such that systems (Si, Li, — >) and (S(, L[, — > ') are isomorphic (i.e. there exist 
hijections a : Si ^ S[ and (3 \ L\ ^ L[ such that V(s, a, s') G Si x Li x Si : 

s — >s <i=^ a(s) — > a(s )). 

Definition 5. A pointed transition system is an ordered tuple VS = (S, i) where 
S — (S, L, — *■) is a transition system; and i G S is a distinguished initial state 
such that {i — >*} = S, i.e. every state is reachable from i. 

Now it is straightforward to see that each p/t net can be associated with a 
deterministic transition system. 

Definition 6. Let Af = {P, T, I, O) be a p/t net. Then the transition system 
S = (N^,r, — >) such that M — ^ M' <;=^ is enabled to occur in the 

marking M and its occurrence leads to the marking M'^ is called sequential case 

graph of the p/t net Af. Given any marking Mq G the pointed transition 
system VS = {{Mq — >*}, T, — > n {Mq — >*} x T x {Mq — !•*}, Mq) is called 
sequential case graph of the marked p/t net AAAf = {Af, Mq). 

In the following, for a finite string q = ai ... an over a set A we write bq to 
denote Parikh’s image of q, i.e. bq G is a multi-set in which the number 

of the occurrences bq{a) of each element a from A is given by the number of its 
occurrences in q, formally bq{a) = \{i \ i G {1, . . . , n} A oi = a}| for every a G A. 

Moreover, given a function f : T ^ we denote by / the linear Z-extension 
of the function /, i.e. we have / : Zj-^j — > Z^ is such that V6 S Zj-^j : f(b) = 
X^tGTi, /(^) ■ where naturally the sum of empty set is zero- function, i.e. we 
define /(O) = 0. In other words, for finite sets P and T, / may be understood as 
a ‘matrix’ whose rows are values /(t), and then, for given ‘vector’ b, value f{b) 
represents the result of standard multiplication of the ‘matrix’ / by ‘vector’ b. 

Now, given a p/t net Af = (P, T, /, O), let C : T —>■ 1/ be such that yt gT ■. 
C{t) = 0{t) — I{t). Properties of the Abelian group Z^ over the set P enable 
us to write M' = M + C{bq) whenever M — M' . Moreover, existence of a 
solution of the equation C{Y) = M' — M in is a necessary condition of 
reachability of M' from M. The solution Y G N/m then determines the number 
of transition occurrences that lead from M to M' . One usually calls the equation 

M' = M + C/Y) or M' = M+ 6(P) - I{Y) 

a state equation of p/t nets and Y G a firing vector. Thus, in the p/t nets 
and their sequential case graphs the change of the state is invariant on the order 
of transition occurrences and depends only on the number of their occurrence^ 
In this place we give a definition of elementary nets adapted from for 

which the realisation problem was already solved pH - 

However, the fact whether such a change of a state is possible depends on the order 
of transition occurrences. 
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Definition 7. An elementary net is an ordered tuple £Af = (P, T, I, O) where 
P and T are disjoint sets of places and transitions, and I , O : T 2^ are input 
and output functions. A marking of an elementary net £Af is a subset of P. A 
transition t G T is enabled to occur in a marking AI G 2^ iff^X C P : Xnl{t) = 
0 A XUl(t) = M A XnO(t) = 0 and then its occurrence leads to the marking 
M' = X\JO(t). 

3 Petri Nets - Algebraic Extensions 

In this section we deal with some abstract generalisations of p/t nets found in 
the literature. One of the first successful abstractions of p/t nets can be found 
in the paper There the theory is built over Definition^ 

Recall that in Q the possible occurrences of transitions are represented in 
a formally different way than we described in Definition^ In fact, there is not 
explicitly defined enabling rule. In the following, let us briefly explain the way 
of representing the occurrences of transitions in the framework 
First, recall that a directed graph is a quadruple {V, A, I, O), where R is a set of 
vertices, >1 is a set of arcs, and 1,0 : A ^ V are input (or source) and output 
(or target) functions, respectively. Thus, every p/t net Af = {P, T, I, O) may be 
seen as a graph Qj^ = (N^, T, I, O). Let P , O' : x be such that 

V(A y) G X : I'{X, Y)=X + I{Y) A 0'{X, Y) = X + 6{Y). 

Then, directed graph CQfg- = (N^, x O'), which is just the refiexive 

and additive closure of graph Qjy, is called case graph of the p/t net Af in 
In graph CQ/g-, given an arc (X, Y) G x it represents a (possible) 

concurrent occurrence of transitions given by multi-set Y from the marking 
M = I'{X,Y) to the marking M' = 0'{X,Y). Given a transition t G T, all 
possible occurrences (firings) of single transition t are rej^sented by the set 
of arcs Arct = {(X, F) | (X,Y) G x A F = 5*^ So, in particular, 

given an arc (X,Y) G Arct, it represents a possible occurrence (firing) of single 
transition t from the marking M = I'{X,Y) to the marking M' = 0'(X,Y). 
Clearly, taking an arbitrary arc {X,Y) G Arct, we have I'{X,Y) = X + I{t) 
and 0'(X,Y) = X + 0{t), and therefore, for all markings M,M' G and 
every transition t G T, there exists a possible occurrence of single transition t 
from the marking M to the marking M' if and only if transition t is enabled to 
occur in the marking M and its occurrence leads to the marking M' according 
to Definition H This fact enables us to use Definition H whenever we refer to 
dynamics of nets from paper Q. 

For our purpose the paper is important by the fact that, to our best 
knowledge, it first proposes a generalisation of the algebra used for places of the 

^ Remember that case graph from which is a directed graph, formally differs from 
the sequential case graph given in Definition^ which is a /o6el/ed transition system. 
® where bt denotes the multi-set over set of transitions T determined by the one-element 
string t 
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net. As possible algebra there are suggested commutative monoids (the category 
of p/t nets with such assumption is called GralPetri in and generally 

semimodules. According to for nets that are objects of GralPetri we have 
that markings are elements of a commutative monoid (if, +), i.e. M S E, and 
functions I, O associate with each transition an element of E, i.e. 1,0 : T ^ E. 
Then, according to the previous paragraph, we have that a transition t G T 
is enabled to occur in a marking M € if iff there exists X G E such that 
X + I{t) = M, and then its occurrence leads to the marking M' such that 
M' = X + 0{t). 

Example 1. Given a set P = {a,b}, take for the domain of markings non- 
cancellative commutative monoid formed by the power set of P with standard 
union, i.e. (2^,U). Let T = = {a,b} and 0{t) = 0. Then we have 

that occurrence of t in marking M = {a, 5} leads to the marking M' such that 
M' U {a, 6} = M. From the following figure with the sequential case graph of 
such net we can see that occurrence of t is nondeterministic. 

t 

{a 

B {<.) {i.} 

The idea given in is further generalised in | and The algebra 
considered is generally a commutative semigroup. So, according to abstract 
Petri nets are given an follows: 

Definition 8. A net structure functor is a composition G o E , where E is a 
functor from the category of sets to the category of commutative semigroups and 
G is its right adjoint. Given a net structure functor G o E , a low-level abstract 
Petri net is a tuple {P, T, I, O), where P and T are sets of places and transitions, 
respectively, and I, O are functions from T to G o E(P). 

A marking of a low-level abstract Petri net is an element M G E{P). Because 
of the properties of adjunction, for each / : T G o E{P) there exists a unique 
extension / : E{T) Then the enabling rule and occurrence of “tran- 

sition vectors” are defined as follows: given a “transition vector” v G F({t}), 
it is said that v is enabled to occur in M iff there exists X G E{P) such that 
X -b I{v) = M, and then the occurrence of v leads to M' = X 0{v). 
mentions the possibility of nondeterminism caused by nonunique solutions of 
the equation X -b /(f) = M. It is solved by specifying additional conditions. Re- 
call, that in a net, where E{P) = V{P) = (2^, U) is the standard powerset 
functor mapping a set to its power set with union, is called unsafe elementary 
net. The problem of nonunique solution of the equation X U /(f) = M is solved 
by demanding usual set complement of /(f) in M to be X. 




For more details see 



332 



Gabriel Juhas 



Example 2 . Now, take again as in the previous example P = {a, b}, and an 
algebra of the net (2^,U). We have for a marking M that M S 2^. In or- 
der to remove nondeterminism of transition occurrences, let us consider only 
complements of I{t) in M to he X in the equation X \J I {t) = M, so we 
have that a transition t is enabled to occur in M iff there exists X G 2 ^ 
such that X n I{t) = 0 A X U I{t) = M. Let T = {ti, t2, ^3, ^4}, let 

I{ti) = {a},I{ts) = {6}, 0(^2) = {a}, 0(14) = {61 and let every other value 

of input and output function be equal to empty se^ So, we have that the oc- 
currence of an enabled transition in a marking M leads to M' such that 

for ti : M' U {a} = M; for 62 : M' = M LI {a}; 

for 63 : M' U {6} = M; for 64 : M' = M U {6}; 




As we can see from the previous figure with the sequential case graph of the 
net, although demanding in the equation X I{t) = M only set complement of 
I(t) in Af to be X in order to remove nondeterminism, we have that, for example, 
the sequence of transitions t2^i^3 changes the marking jo, 6} to the marking 0, 
but the occurrence of the sequence of transitions changes the same mark- 
ing {a, 6} to the marking {a}. This generally means that using noncancellative 
commutative monoids as Petri net algebra, change of the state can depend on the 
order of the transition occurrences, i.e. commutativity of transition occurrences 
(if enabled) is not satzs/ied/ However, the commutativity is just the property that 
permits overcoming sequentiality in Petri net computations! There are also other 
interesting properties than commutativity preserved by partial algebras that can 
be embedded into an Abelian group, that holds in standard p/t nets but does not 
hold if one uses noncancellative commutative monoids. As we can see from the 
previous example, the occurrence of transition 62 sometimes changes the mark- 
ing {e.g. in {6}) and sometimes not {e.g. in {a}). These problems are caused by 
the fact, that in noncancellative commutative monoids equations can have more 
than one solution. However, if we add some other additional enabling conditions 
that choose just one solution, in ExampleHit could be the condition X(lO{t) — 0 
that removes self-loops from the sequential case graph and makes from the net 
an elementary net established in Definition J then there are still some prob- 
lems caused by the fact that the same functor is used for places and transitions. 
Namely, if one wants to allow the use of a composition of ‘firing vectors’ {i.e. 
to allow ‘firing vectors’ from F{T)), then the computation through sequences of 
‘firing vectors’ may differ from the computation through the composition of ‘fir- 
ing vectors’, e.g. in the case of Example J with previously mentioned additional 

^ Using the terminology from we have defined an unsafe elementary net. 
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condition, the sequence of ‘vectors’ {ti}, {ts}, {^ 2 }, {ti} changes marking {a, b} 
to the marking 0, but composition {ti} U {t^} U {t2} U {ti} = {ti,t2, changes 
the marking {a, 5} to the marking {a}. Generally, the use of the same functor 
in the construction of extended input and output functions /, O causes that we 
cannot choose different kinds of algebra for transitions and places. However, for 
elementary net systems one could want to have a multi-set extension of input and 
output functions in order to express the change caused by multiple occurrences 
of transitions. Finally, the consideration of only total semigroups causes that the 
treatment of some more complicated enabling rule have to be done using some 
“additional conditions” . 

4 Algebraically Generalised Petri Nets, Transition 
Systems, and Abelian Groups 

Based on the extensions discussed in the previous section, in this section we recall 
a very general algebraic structure of nets suggested in for the purpose of 
investigating different Petri net extension J Then we choose a tuple of properties 
that holds in the sequential case graph of each standard p/t net. Further we show 
which kind of partial algebra, if it is used in p/t nets instead of integers with 
addition, preserves (is equivalent to) this tuple of properties. 

As elementary net J illustrate, it is often useful to have a more flexible en- 
abling rule than that considered in standard p/t nets. Now the question is how 
to include the treatment of such more complicated enabling rule in a simple way 
into an abstract definition of Petri nets similar to that definition proposed in 
and ^ 3 . The use of partial groupoids solves this problem in an elegant way. In 
the following we recall very basic definitions and notation from theory of partial 
groupoids (according to ^3) used throughout the paper. 

Definition 9. A partial groupoid is an ordered tuple 7i — (H, T, -j-) where H is 
a carrier of Ti., -L C H x H is the domain of -j-, and +: A ^ H is a partial 
operation ofTi. 



Definition 10. We say that a partial groupoid Ti. = {H, T, -[-) can be embedded 
(is embeddable) into an Abelian group iff there exists an Abelian group (G,+) 
such that H C G and the operation + restricted on T is equal to the partial 
operation -j-, in symbols -|-|_l = +. Group (G,+) is called embedding of partial 
groupoid Ti. 

Recall that a total groupoid is embeddable into an Abelian group if and only 
if it is a cancellative commutative semigroup. Remember that a left cancellative 

® In this general definition we do not pay attention to distributivity of p/t nets, only 
to the algebra used. However, distributivity is a crucial property of p/t nets, it is 
included in ‘end-user’ definitions presented in 
® But also p/t nets with capacity and other classes of nets with more complicated 
enabling rule, such as Pet ri nets with inhibitor arcs Contextual nets or 

Controlled Petri nets ^3. 
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semigroup is a semigroup where Va, 6, cG H : a + b = a + c 6 = c. In 
similar way is defined right cancellative semigroup. A semigroup is said to be 
cancellative if it is both left and right cancellative. Clearly for a commutative 
semigroup left and right cancellativity coincides. For more details about embed- 
ding of semigroups into groups see e.g. Q. In the case of proper partial groupoid 
(he. _L <Z H X H), associativity, commutativity and cancellativity are only nec- 
essary conditions of embeddability into an Abelian group, but not sufficient. 

4.1 Algebraically Generalised p/t Nets 

Let us denote the category of sets by SET and the category of partial groupoids 
by PGROUPOID. Further, let U : PGROUPOID ^ SET be the forgetful 
functor, he. given any partial groupoid Ti — {H, _L, -j-), we have U{T-L) — H. 

Definition 11. A net state functor is a functor F : SET ^ PGROUPOID 
associating a set with a partial groupoid. Given a net state functor F , an alge- 
braically generalised place/transition net is an ordered tuple AM = (P, T, /, O), 
where P and T are distinct sets of places and transitions, and 1,0 : T ^ 
U o F{P) are input and output functions, respectively. 

Definition 12. The structure F(P) is called (partial) algebra of AM. In the 
following, let F{P) = (H, _L, -i-). A state of net J[M, also called marking or case, 
is an element M G H = UoF{P). A transition t € T is enabled to occur in a state 
M G H if and only if3X G H such that X _L I{t) A Xf-I{t) = M A X 1. 0{t), 
and then its occurrence leads to the marking M' = X + Oft). 

Definition 13. As usual, a marked algebraically generalised p/t net is a pair 
Mij\M = {AM,Mq), where xW is an algebraically generalised p/t net and Mq 
is a distinguished initial state of the net AM. 

Definition 14. Similarly to standard p/t nets, the sequential case graph of an 
algebraically generalised p/t net AM = (P, T, I, O) with partial algebra F(P) = 

(P, _L,-j-) is the transition system {H,T , — >), where M — ^ M' is 

enabled to occur in the state M and its occurrence leads to the state M''^ , i.e. 

M M' <S=^ 3A G P : A _L I{t)AX + I{f) = MAX _L 0{t)AM' = X + 0{t). 
Then, given an initial state Mq G H , the sequential case graph of the marked 
algebraically generalised p/t net MiAM = {AkM, Mq) is the pointed transition 
system VS = {{Mq — >*}, T, — > n {Mq — >*} x P x {Mq — >*}, Mq). 

It is evident that standard p/t nets from DefinitionHs^re algebraically gener- 
alised nets with the state functor associating the set of places P with the monoid 
of all multi-sets over P with multi-set addition. Elementary nets from Definition 
Hare algebraically generalised p/t nets with the state functor associating the set 
of places with the partial groupoid (2^, _L, l±l), where _L = {(A, B) | A n P = 0} 
and l±) = U|x. Moreover, algebra of standard p/t nets, and partial algebra of 
elementary nets is embeddable into the Abelian group Z^. 
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4.2 Reasoning about Properties of Partial Algebra of Algebraically 
Generalised p/t Nets 



In the following, we choose a tuple of properties, that holds in the sequential 
case graph of each standard p/t net. Then we find which kind of partial algebra 
used in algebraically generalised p/t nets preserves this tuple of properties. 

Recall that given a finite string q over a set A we write bq to denote Parikh’s 
image of q, i.e. bq £ is a multi-set in which the number of the occurrences 
bq(a) of each element a from A is given by the number of its occurrences in q. 



Definition 15. Let S = (S', L, — >) be a transition system. We say that system 
S is eommutative iffy s — s', s s" : bq = bq/ => s' = s". 



Evidently, the sequential case graph of the net from Example ^ is not a 
commutative transition system. It is also clear that every commutative transition 
system is deterministic. 

For commutative transition systems it is straightforward to extend the string 
transition relation — to multi-set transition relation — S x x S such 



that (s, 6, s') G - 
usual, we write s 

3s' G S' : s — s'. Clearly, s 
Now recall that a congruence 



iff there exists q £ L* such that s — s' A bq = b. As 

o s' to denote (s, 6, s') G — and s — to denote that 

b / b' ,, ^ 6-1-6' ,, 

s >o s S >0 S . 

on an Abelian group (G, -I-) is an equivalence 



relation on G preserving the group operation, i.e. a b A d => (a -I- c) « 
(6 -b d) for every a, b,c,d £ G. As usual, given an element g £ G, we denote 
by [ 5 ]« = {g' \g' ~ g} the equivalence class containing the element g, and by 
the operation on G/~ = {[5]«|5 G G} given as follows: V[g]~, [g']~ G G/~ : 
[g']~ = [g + g']^:. In other words, (G/~, -|-/_) is the factor group of the 
group (G, -b) according to the congruence For a more general statement of 
congruence we refer to p. 

Finally, let us define consensual commutative transition systems. 



Definition 16. Given a eommutative transition system S = {S,L , — >), let re- 
lation C X be such that b b' 3 s — ^<> s', s -^o s'. Let 

X Zjjjj be the least congruence on containing i.e. 

We say that S is consensual i/f V s — s', s -^o s" : b b' ^ s' = s". 



In the following, we simply write ^ and « to denote and ~s if system 
S is clear from the context. Also, given a consensual commutative transition 
system S we say that “5 is commutative and consensual” instead of (maybe 
more precise but a bit laborious) “5 is consensual commutative”. We choose 
the name ‘consensual’ because it expresses a kind of ‘common opinion’ of the 
multi-sets on the problem “how to change the state”. If they change a state 
in the same way once (from a common source state to a common target state) 
then they do it also for all other states in which they both can occur (if they 
are in any other common source state and both can occur, then they lead to a 
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common target state again). Moreover, this ‘consensus’ is transitive and closed 
under addition and subtraction of multi-sets. 



Lemma 1. The sequential ease graph (S, L, — >) of every standard p/t net N = 
{P,T, 1,0) (given by Def.^ is commutative and consensual. 

Proof. For the sequential case graph of a p/t net JV we have from its definition: 
M M' ^ M' = M + C{hq) for every M M' . 

Commutativity: take any M — M' , M M” such that bq = bq’ . From the 
previous result we have directly that M' = M + C{bq) = M + C{bqi) = M" . □ 

Now we show consensuality, i.e. we show that VM — M',M -^<> M" : b « 
b' ^ M' = M". Take Zj-„ x Zj’-„ such that b ^ b' ^ C{b) = C{b'). 
One can easily check, that = is a congruence on Abelian group Zj^^ (clearly, 
it is an equivalence, and given any (7(6) = (7(6') and C{d) = C{d') we have 
(7(6) -b (7(6') = (7(d) -b (7(d'), and further (7(6) -b (7(6') = EtGTC(() • b{t) + 

■ (^(^) + ^'(^)) = + ^') same for d, d' , 

i.e. we have C{b + 6') = C{d + d')). 

Given any M — M',M -^<> M" we have that if 6 = 6, {i.e. C{b) = (7(6') 
and therefore M' = M + (7(6) = M -b (7(6') = M”) then M' = M". 

Because « is the least congruence on Zj-^ containing now it suffices to show 

that ~C=. For every 6 ~ 6' we have from the definition of ~ that 3M — 

M', M M', i.e. M' = M + (7(6) = M -b (7(6') (7(6) = (7(6'), i.e.b^ 6'. 

□ 



Lemma 2. Let S = {S, L, — >) be a reachable transition system. Then S is 
commutative and consensual if and only if there exists an Abelian group Q — 
((?, -b) such that: 3 an injection a : S ^ G A 3/:L— >(7 such that V s — ^ s' : 
a{s) + f{a) = cr(s'). 

Proof. =b Because « is a congruence on Abelian group also Q = 

Abelian group (it is a factor group of Z^-^ with respect 
to «, so we have V 6, 6' S Zj-^^ : [6 + 6']~ = [6]~ -b/,^ [^1~)- System S is reach- 
able, i.e. we have a state, say r € S, from which each s G S' is reachable. Now, 

let (7 be defined as follows: cr{r) = [0]~ and Vs G S : (t(s) = [6]~ where r — ^<> s. 
One can check that a is well defined (given any two 6, 6' such that r — ^<> s as 
well as r -^<> s there is 6 « 6' and therefore [6]~ = [6']~), and it is an injec- 
tion (cr(s) = cr(s') means that there exists r — ^<> s and r -^<> s' such that 
[6]~ = [6']~, i.e. 6 « 6', which, because S is consensual, implies s = s'). 

Let f : L ^ ^/m/« given by /(a) = [6a]ai for every a G L. 

Now take arbitrary s — ^ s', i.e. s s'. We have that a{s) = [6]~, where 

r — s. But then we also have r s' and therefore cr(s') = [6 -b 6 q]~ = 

[6]«-b/„ [6a]« = cr(s) +/,^ /(a). 

as in Lemma H C 
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We have shown that in a reachable transition system commutativity and 
consensuality is equivalent to the existence of an Abelian group playing the role 
of algebra in the system. In the following a system in which computations may 
be expressed using elements and the composition law of an Abelian group is 
called Abelian group transition system. 

Definition 17. An Abelian group transition system is such a transition system 
S = (S', L, — !•) that there exists an Abelian group Q = (G, +) such that: 3 an 
injection a : S ^ G A 3f : L ^ G such that Vs — ^ s' : a{s) + f{a) = cr(s'). 
The group Q = (G, +) is said to be associated with system S, the injection a 
is called state injection, and the function f is called incidence function of S. If 
also f is an injection then it is said that S is unambiguously labelled. 



Corollary 1. Clearly from Definition^^of p/t nets, the sequential case graph 
of a standard p/t net Af = {P, T, I, O) is an Abelian group transition system (it 
suffices to take as the associated group, inclusion from to Z^ as the state 
injection, and function C such that \/t G T : C(t) = 0(t) — I ft) as the incidence 
function). 

For algebraically generalised p/t nets there hold the following claims: 

Lemma 3. The sequential case graph of an algebraically generalised p/t net 
AN = {P, T, I, O) in which partial algebra F{P) can be embedded into an Abelian 
group, is an Abelian group transition system. 

Proof. Let (G, +) denote an Abelian group into which the partial algebra F{P) 
can be embedded . To show that the sequential case graph of AN is an Abelian 
group transition system it suffices to take (G, +) as the associated group, inclu- 
sion from F{P) to G as the state injection, and function f : T ^ G such that 
Wt gT : f{t) = 0{t) — I{t) as the incidence function. □ 



Lemma 4. Every Abelian group transition system S = {S,L , — >) is (transi- 
tionally) equivalent (see He/.H) with the sequential case graph of an algebraically 
generalised p/t net AiN in luMch partial algebra F{P) can be embedded into an 
Abelian group. 

Proof. We have an Abelian group (G, -I-) with a state injection a : S ^ G and 
an incidence function f : L ^ G such that Vs -N s' : (t(s) -I- /(a) = cr(s'). 
Without loss of generality, we can assume that S C G A a{s) = s for every 
s G S, and hence V s -N s' : s-b /(a) = s'. Let {K, -b) be an Abelian group such 
that L C K. Now denote by direct product of (G, -b) and (AT, -b) {i.e. 

{H, -b) = (G, -b) © (AT, +), and we write {g, k) to denote an element of H, and 
0 both for the neutral element of G and K). For every a G A let relation _Lq= 
({s I s — ^}x{— a}) X ({/(a), 0}x{a}) C HxH. Finally denote _L = UogL J-a- So 
we have a partial algebra TC — {H, _L, +|j_) which can be embedded into Abelian 
group (iL, +). In the following we write as usual -j- instead of +|j_. Now take, 
for simplicity, the constant net state functor F : SET ^ PGROUPOID that 
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associates with each set partial groupoid Ti. (and with each function between 
sets the identity morphism id : Ti, ^ Ti.) . Define an algebraically generalised net 
AAf = {P, T, I, O), where P is an arbitrary set, T = L, and 1,0 : T ^ U o F{P) 
are given as follows: 

Wa £ T : I{a) = (0, a) A 0{a) = {f{a), a) 

Let {H, T, be the sequential case graph of net AM. From definition of _L 
(only (s, — a) _L (/(a) = (0,a)) and (s, — a) _L (0(a) = (/(a), a)) where s -M, 
are in the relation _L) we have that W a G T VX G H : X P I{a) => {X+I{a)) = 
(s, 0) S 5 X {0} and also X _L 0{a) (X + 0{a)) = (s', 0) S S' x {0}. From the 
enabling and firing rule (recall that a G T is enabled in M G H iS there exists 
X G H : X P I{a) A Xpl{a) = M A X P 0(a), and then occurrence (firing) of 
a leads to M' = X P 0(a)), we have that ^ C (S x {0}) x T x (S x {0}), or in 
other words ^ = — > n((S x {0}) xT x (S x {0})). Because of the construction 
of _L and the enabling and firing rule, we further have that 

Va e T VM G S X {0} : M = (s, 0) M' = (s', 0) s ^ s' (1) 

So, there is an isomorphism (given by bijection P : S x {0} — > S, /3(s, 0) = s for 
each s G S; and identity T = L) between the transition system S = (S, L, — > 
) and the transition system (S x {0},T, ^). According to Definition B this 
immediately implies that system S = (S, L, — >) is (transitionally) equivalent 
with the sequential case graph (H,T,^) of algebraically generalised p/t net 
AM with partial algebra F(P) embeddable into Abelian group (Ff, +) . □ 

The importance of the group (K, +) in the above proof is that it enables us 
to maintain the cases, where some transitions cause the same change but the 
domains on which they are enabled to occur differ. In particular, it allows to dis- 
tinguish self-loops from each other and also from ‘no’ action in our construction. 
The consideration of possibly different domains for transitions with the same 
effect makes real sense in the case of ambiguous labelling of transition systems. 
We pay low price: we are still able to find an algebraically generalised p/t net 
with a partial algebra embeddable into an Abelian group, whose sequential case 
graph differs from the original system only in isolated states. This price is real 
in the sense that there exist Abelian group transition systems, for which a net 
whose partial algebra is embeddable into Abelian group and whose sequential 
case graph is isomorphic with the system, if we consider also isolated states, does 
not exist. For example, such a transition system is shown in the following figure. 

b 



b 

It can be easily verified that for every algebraically generalised p/t net with F(P) 
embeddable into an Abelian group, whose sequential case graph is equivalent 
with the previous system, the partial groupoid F(P) must have more than two 
elements. 

One may see the problem independently from Petri nets. Given a determin- 
istic transition system S = (S, L, — >) and an arbitrary Abelian group (G, -I-) 
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such that S C G, we can define a partial function 6 : S x L ^ G defined for 
{s, a) G S X L iS s — such that s' = s + c5(s, a) whenever s — > s'. Then easily, 
S is an Abelian group transition system iff there exists such an Abelian group 
that for the above mentioned function 6 there holds: 

ya G L y s, s' G S : s — ^ A s' — ^ => (5(s, a) = S(s', a). (2) 

Remark 1. If 0 holds, one can choose f : L ^ G such that /(a) = 6{s,a) 
where s G S' is an arbitrary state such that s — On the other hand, if S 
is an Abelian group transition system one can choose 5(s, a) = f(a) for every 
{s,a) G S X L such that s 

We should say that Z-extension of a function, already mentioned in Section 
B can be treated more generally. For our purpose, given an Abelian group (G, +) 
and a set A, the Z-extension of a function f : A ^ G is the function / : ^ G 

such that V6 S Z^-„ : />) = EaeA, f{a) ■ b{a), where the sum of empty set is 
zero- function, i.e. we have /(O) = 0. Let us mention that previous construction 
is a special case of a semiring extension of a function from an arbitrary set to 
the carrier of a (left) semimodule over a semiring. 

So, for an Abelian group transition system we have yq G L* : s — s' 
s' = s-b f{bq) whenever s — s' , or, in other words, we have that the existence 
of a nonnegative solution of the state equation s' = s + f(bq) is a necessary 
condition for reachability of the state s' from the state s. 

One may be interested in the problem when a transition system S is an 
Abelian group transition system, i.e. what are the necessary and sujficient condi- 
tions for Abelian group transition systems. According to LemmaH for reachable 
transition systems it is if and only if the system is commutative and consen- 
sual. The following figure gives a non-reachable commutative and consensual 
transition system, that is not an Abelian group transition system. 




Now we would like to find similar properties to those in LemmaHalso for 
transition systems which may not be reachable. 

Given a transition system S = {S,L, — >) let L~^ denote a set with the 
same cardinality as L, and L n L~^ = 0. Let a : L ^ L~^ be a bijection. 
Because the purpose of this is to define inverse elements of those in L, given 
a G L we denote a{a) by a~^. We define — C S x L~^ x S as follows: 
— = {(s', a~^, s) I s s'}. Then, we define i — s- C S x {LU L~^) x S as 
the union of the relation — > and — i.e. i — > = — > U — Finally, the 
transition system (S', LU L“^,i — >) is shortly denoted by . In words, is 
a symmetric closure of S in which ‘back-arrows’ are denoted by ‘inverse’ labels. 
Directly from Definition of Abelian group transition systems we have the 
corollary: 
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Corollary 2. A transition system S is an Abelian group transition system if 
and only if its symmetric closure is an Abelian group transition system. 

Now we can formulate the following claim. 

Lemma 5. A transition system S = {S, L, — !•) is an Abelian group transition 
system if and only if its symmetric closure is commutative and consensual. 

Proof. as in LemmaJ 

4= Denote by C a collection of equivalence classes of equivalence over relation ^ 
Q S X S given by s s' 4=^ s — ^ s' V s' — ^ s. Then a symmetric closure 
is a collection of isolated strongly connected components, i.e. mutually isolated 
reachable subsystems of with state sets given by equivalence classes from C, 
in which VC G C Vs G C : {s i — >*} = C. Now take a group, say K. — {K, +, Ok), 
with cardinality same as (or greater than) the collection C of these isolated 
strongly connected components, and an injection p, \ C ^ K. Take one element in 
every component, say sc, for every component C G C. Take an injective function 
a : S ^ 1C (B V~s« ) which maps sc to (^(C), [ 0 ]~ 5 „) for every C G C, 

and VC G CVs G C : a{s) = {p{C), [6]~g„) where sc s. Looking in the 
proof of Lemmajwe see that a is well defined in S and injective inside of every 
component C G C, and because the states of different components are labelled by 
different elements of K we have that it is injective also in the whole set S. Now 
take / : L\JL~^ {0K}'x'^^'in such that Va G L : /(a) = (O/f, [6a]ais„). 

According to the fact that whenever s s' we have that s and s' belongs to 
the same component, occurrences of transitions do not change AT-component in 
the a value of the new state, and following the way in the proof of LemmaH 
one can check that for every s s' we have cr(s)' = a{s) + f{a). So, 5^ is an 
Abelian group transition system. According to the Corollary^ also system S is 
an Abelian group transition system. □ 

Now we can complete our picture by showing which properties are equivalent 
to the use of a partial algebra embeddable into an Abelian group in algebraically 
generalised p/t nets also for sequential case graphs of unmarked p/t nets. Recall 
(from Corollaries ^ and that the symmetric closure of the sequential case 
graph of each standard p/t net (Def. B is commutative and consensual. So, 
following LemmasHH3’'^dHwe formulate the theorem. 

Theorem 1. The symmetric closure of the sequential case graph of every alge- 
braically generalised p/t net in which partial algebra F{P) can be embedded into 
an Abelian group, is commutative and consensual. Every transition system whose 
symmetric closure is commutative and consensual is equivalent (with respect to 
Def.^^ to the sequential case graph of an algebraically generalised p/t net in 
which partial algebra F(P) can be embedded into an Abelian group. 

We have shown properties corresponding to the use of a partial algebra em- 
beddable into an Abelian group in Petri nets. One can choose a more general 
algebra, but should be prepared, that by doing this some of these properties can 
be lost (in the case of commutative monoids, as we demonstrated in Example^ 
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we might even lose commutativity!). This is our main message. It is challenging 
to investigate the role of (partial) algebra used in Petri nets also through other 
properties than commutativity and consensuality of sequential case graphs. 

We have also shown that every Abelian group transition system is transi- 
tionally equivalent with the sequential case graph of an algebraically generalised 
net whose partial algebra F{P) is embeddable into an Abelian group. Following 
this result, one can investigate the relationship between transition systems and 
algebraically generalised p/t nets in more general settings: Given a class A of 
groupoids with some specified property, one can characterise the class TSa of 
transition systems such that {S, L, — >) G TSa iff 3(A, -b) G A that 3 an in- 
jection a : S ^ A and 3 f : L ^ A such that Vs s' : a{s) -b /(a) = cr(s'). 
We can investigate the relationship of such a class TSa with algebraically gen- 
eralised p/t nets, and in particular with algebraically generalised p/t nets the 
related (partial) algebra F{P) of which is embeddable into a groupoid from class 
A. For example, if we chose for class A the class of commutative monoids (so 
we have that TSa is the class of commutative monoid transition systems) then 
evidently every system from TSa is commutative. On the other hand. Example 
Jshows that the sequential case graph S of the algebraically generalised p/t net, 
in which F{P) is the commutative monoid of power set of places with union, 
is not a commutative transition system. In this general setting the equivalence 
of the class of Abelian group transition systems and the class of sequential case 
graphs of algebraically generalised p/t nets in which F{P) is embeddable into 
an Abelian group (enabled by invertibility) seems to be specific. 

5 Conclusion 

In the paper we have suggested an extension of Petri nets based on generalising 
algebra as well as enabling rule used in the dynamics of nets. Our approach of 
such extension have been based on using partial groupoids in Petri nets. The 
motivation of the presented frame has been to offer an abstract and uniform 
frame for description of various behavioural extensions of Petri nets. Further, 
we have studied the role of partial algebra used in such algebraically generalised 
Petri nets through properties of their interleaving semantics - labelled transition 
systems called traditionally sequential case graphs. Our motivation and aim have 
been to determine the class of partial groupoids used in algebraically generalised 
Petri net which preserve some natural semantic properties guaranteed in stan- 
dard Petri nets. We have started with a very general definition of Petri nets 
using a state functor mapping the set of places to partial groupoids, i.e. to Petri 
net partial algebra. For purpose of the study we have chosen the pair of semantic 
properties preserved in sequential case graphs of all standard Petri nets, namely 
commutativity of occurrences of transitions, which enables us to use multi-sets 
instead of sequences of transitions, and consensuality of computations in Petri 
nets (that means if the occurrences of two sequences of transitions in one state 
(marking) lead to the common new state, then they lead to the common new 
state from every other state in which both sequences are enabled to occur, and 
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moreover, this ‘consensus’ is transitive and closed under addition and subtrac- 
tion of multi-sets). These two properties are crucial for the possibility of using 
linear algebraic techniques in the description and analysis of Petri nets. We have 
shown that using an arbitrary commutative monoid as Petri net algebra, as sug- 
gested in does not preserve determinism and commutativity of occurrences 
of transitions in sequential case graphs of Petri nets, and although one uses 
some additional requirements to satisfy determinism, as it is done in the 
sequential case graph still may not preserve commutativity. In other words, the 
construction of Petri nets causes that the commutativity of a monoid does not 
guarantee the commutativity of the corresponding sequential case graphs. 

In this paper we have extended results from also for non-reachable transi- 
tion systems and unmarked Petri nets. Namely, we have proven that for a transi- 
tion system S (not necessarily reachable) the following statements are equivalent: 

— the symmetric closure of S is commutative and consensual; 

— 5 is an Abelian group transition system, i.e. a system in which computations 
may be expressed using elements and the operation of an Abelian group; 

— 5 is transitionally equivalent {i.e. differs only in isolated states) with the 
sequential case graph of an algebraically generalised Petri net the partial 
algebra of which is embeddable into an Abelian group. 

Finally, let us mention that in wide applicability of the presented frame 
has been illustrated in various examples. 
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Abstract. The paper outlines a Petri net as well as a structural op- 
erational semantics for an algebra of process expressions. It specifically 
addresses this problem for the box algebra, a model of concurrent com- 
putation which combines Petri nets and standard process algebras. The 
paper proceeds in arguably the most general setting. For it allows in- 
hnite operators, and recursive dehnitions which can be unguarded and 
involve inhnitely many recursion variables. The main result is that it is 
possible to obtain a framework where process expressions can be given 
two, entirely consistent, kinds of semantics, one based on Petri nets, the 
other on SOS rules. 

Keywords: Net-based algebraic calculi; relationships between net the- 
ory and other approaches; process algebras; box algebra; rehnement; re- 
cursion; SOS semantics. 



1 Introduction 

Concurrency theory is both challenging and difficult a subject of Computing Sci- 
ence such that, to this date, no single mathematical formalisation of it, of which 
there exist many, can claim to have absolute priority over others. This paper 
is about combmmg two widely known and well studied theories of concurrency: 
process algebras [1,14,15,18] and Petri nets [2,19,22]. Process algebras: (i) al- 
low the study of connectives directly related to actual programming languages; 
(ii) are compositional by definition; (iii) come with a variety of logics facilitating 
reasoning about important properties of systems; and (iv) support a variety of 
algebraic laws. On the other hand, Petri nets: (v) sharply distinguish between 
states and activities (the latter being defined as changes of state); (vi) treat 
global states and global activities as derived from their basic local counterparts; 
(vii) have a graphical representation which is easy to grasp and has therefore 
some wide appeal for practitioners; and (viii) have useful links both to graph 
theory and to linear algebra. 

The work presented in this paper (in itself a continuation of, among others, [4, 
5, 16]) does not subscribe to the ambition of trying to achieve a full combination 
of (i)-(viii) above - at least not immediately. Rather, it attempts to forge links 
between a fundamental (but restricted) class of Petri nets and a basic (but 
again restricted) process algebra. This paper will investigate the structural and 
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behavioural aspects of these two basic models, and its main point is that there 
is, in fact, an extremely strong equivalence between them. 

The box algebra is based on a set of process terms, called box expressions. 
Each box expression has associated two consistent kinds of semantics: a Petri net 
called a box (with its standard Petri net transition hring rule), and an operational 
semantics dehned using SOS derivation rules [21]. A particular instance of the 
box algebra is the Petri Box Calculus (PBC) [3, 4, 9, 13] - a direct inspiration for 
the introduction of the box algebra. Note that the technique of associating Petri 
nets with process algebra expressions has also been studied for other models [7, 
8,11,12,20,23]. 

The model we are going to describe is based on a set of operators, OpBox, 
which can be used to construct valid box expressions. For each operator op G 
OpBox there is an associated operator in the domain of boxes, i?op. This allows 
one to compositionally dehne, for every box expression E = op(£'i,£' 2 , . . .), a 
corresponding net, box(£') = i?op(box(£'i), box(£' 2 ), . . .). The set of PBC opera- 
tors includes sequence (denoted by the semicolon), choice (denoted by D ), and 
parallel composition (denoted by ||). However, the box algebra supports a much 
richer set of constructs, including fully general recursion. 

The two semantical models of the box algebra have been studied and devel- 
oped in, e.g., [3,5,16]. In particular, it has been shown there that the two se- 
mantics are equivalent in the sense of generating strongly equivalent behaviours 
(in bisimulation sense [18]). This paper extends the already published results in 
three directions. First, the previous results were only applicable to Rnite oper- 
ators; i.e., it was assumed that op(/Ti, AC, • • •) = °p{Ki, AC, . . . , K„), for some 
n. In this paper, op can in general take any number of arguments, in partic- 
ular infinitely many. The interest in such general operators is motivated by a 
need to model operators like Dig/Ap i.e., a fully generalised choice operator 
of Milner’s CCS [18], which in turn can be used to give formal semantics to a 
process algebra with value-passing. Second, we remove two restrictions previ- 
ously imposed on nets representing operators and operands; but we also analyse 
the conditions under which such a step does not compromise the behavioural 
integrity of the model. The third extension concerns consistency between the 
net semantics and operational semantics. We strengthen the previous results by 
stating that they generate, for every process expression, not only bisimulation 
equivalent, but in fact isomorphic transition systems; thus providing arguably 
the strongest possible consistency result. 

The paper is organised as follows. In the next section, we introduce various 
classes of Petri nets used throughout the paper. Section 3 defines net refinement, 
the basic device to compose nets. Section 4 presents an algebra of process ex- 
pressions based on the formalism developed in the preceding sections, and the 
last section states the above consistency result. 

We use the standard mathematical notation. In particular, mult(A) denotes 
the set of all finite multisets over a set Z , and 1+) the disjoint set union. Other 
multiset-related notation are the sum (-f) and difference (-). 
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2 Preliminaries 

Each operator on nets will be based on a special net i?op whose transitions 
vi,V 2 ,... are rehned by the corresponding nets Si,S 2 ,--- in the process of 
forming a new net fiopiSi, S 2 , . . .). To carry this out, we need to distinguish 
nets that are easily composable with one another. The chosen class of Petri nets, 
called boxes, have interfaces expressed by labellings of places and transitions. 
There are two main classes of boxes which we will be interested in, viz. plain 
boxes and operator boxes. Plain boxes {Si,S 2 ,--- above) form the class of 
elements of our Petri net domain upon which various operators are dehned. 
Operator boxes (i?op above) are patterns (or functions) dehning the ways of 
constructing new plain boxes out of given ones. 

Labelled Nets. We assume a set Lab of actions to be given; each a G Lab 
represents some interface activity. A relabelling pis a relation p C mult(Lab) x Lab 
such that (0, a) G p if and only if p = {(0, a)}. The intuition behind a pair (T, a) 
belonging to p is that it specihes some interface change which can be applied to 
a (hnite) group of transitions whose labels match the argument, i.e., the multiset 
of actions F , and which are synchronised to yield a new transition labelled a. 

A constant relabelling, pa = {(0,a)}, where a is an action in Lab, can be 
identihed with a itself, so that we may consider the set of actions Lab to be 
embedded in the set of all relabellings. If a relabelling is not constant, then it 
will be called transformational] in that case, the empty set will not be in its 
domain, in order not to create an action out of nothing. The identity relabelling, 
Pj(J = {({a}, a) I a G Lab} captures the ‘keep things as they are’ (non)change. 

By a (marked) labelled net we will mean a tuple S = {S,T,W, X, M) such 
that: S and T are disjoint sets of respectively places and transitions] LE is a 
weight function from the set (SxT) U (TxS) to the set of natural numbers N; 

A is a labelling function for places and transitions such that A(s) G {e,i,xj, for 
every place s G S', and \{t) is a relabelling p, for every transition t ^ T] and M is 
a marking, i.e., a mapping assigning a natural number to each place s G S.^ We 
adopt the standard rules about representing nets as directed graphs. To avoid 
ambiguity, we will sometime decorate the various components of S with the 
index S] thus, Tjj denotes the set of transitions of E, etc. A net is finite if both 
S and T are hnite sets. Figure 1 shows the graph of a labelled net Eg. 

If the labelling of a place s is e, i or x, then s is an entry, internal or exit place, 
respectively. By convention, °E, E° and E denote respectively the entry, exit 
and internal places of E. For every place (transition) x, we use ** to denote is 
pre-set, i.e., the set of all transitions (places) y such that there is an arc from y to 
x, that is, W{y, x) > 0. The post-set x* is dehned in a similar way. The pre- and 
post-set notation extends in the usual way to sets R of places and transitions, 
e.g., *R = what follows, all nets are assumed to be E-restricted, 

i.e., the pre- and post-sets of each transition are nonempty. E is called simple 
if W always returns 0 or 1, and pure if for all transitions t ^ T, *t fit* =0. 

^ Sometimes we will treat M as a set, if M(S) C {0, 1}. 
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Fig. 1. A labelled net and its reachability graph. 

For the labelled net of figure 1 we have ° Sq = {so, ss}, ~ {* 2 }, *so = 0 and 
{so,si}* = This net is hnite and simple, but not pure as S 3 G *^2 Ht*- 

We will use three explicit ways of modifying the marking of S. We dehne [T7J 
as {S, T, W, A, 0) which amounts to erasing all the tokens. Moreover, S and T are, 
respectively, {S,T,W,X,°S) and {S,T,W, X, S°). These operations correspond 
to placing one token on each entry (resp. exit) place and nothing elsewhere, thus 
constituting the entry marking (resp. the exit marking). 

Execution Semantics. The behaviour of S is dehned by its hnite step sequence 
semantics: a hnite multiset of transitions U , called a step, is enabled by S if for 
every place s £ S', M(s) > ■ W(s,t)). We denote this by M [U) . 

An enabled step U can be executed leading to a follower marking M' dehned, 
for every s £ S, by M'{s) = M{s) + We will 

denote this by S [U) S' , where S' = (S, T, W, A, M'). For So in hgure 1, {to, ^ 2 } 
is an enabled step. After its execution, jti} is enabled and, hence, {to,t 2 }{ti} 
is a step sequence of Sq. Formally, a step seguence of A7 is a possibly empty 
sequence of steps, ui = Ui . . .Uk, such that there are nets Si, . . . , Sk satisfying 
S [Ui) Si [U'j) ■ ■ ■ [Uk) Sk- We will denote this by S [w) Sk or Sk G [A) . 

A marking M is safe if M (S)C{0, 1}. A safe marking is clean if it is not a 
proper superset of °A (the entry marking) nor S° (the exit marking), i.e., if 
° S C M or S° CM implies ° S = M or S° = M , respectively. The marking 
of the net in hgure 1 is both safe and clean. A labelled net S is: ex-restricted if 
°S yt 0 yt A°; e-directed if *(°A) = 0; x-directed if {S°)* = 0; and ex-directed if 
it is both e-directed and x-directed. 

Behavioural Equivalence. Although the whole set of step sequences of a net 
may be specihed by dehning the full reachability graph (see [ 22 ] and hgure 1 ), 
we do not hnd it a satisfactory representation in the presence of labellings. For 
example, hgure 2 demonstrates that isomorphism (and, indeed, other reason- 
able notion of behavioural equivalence) of reachability graphs is not preserved 
by sequential composition of nets. This is due to the fact that it is necessary to 
distinguish the entry and exit markings when comparing the behaviour of nets 
which are subsequently composed. Instead of modifying the dehnition of isomor- 
phism, we address this problem by adding to S (artihcially) two fresh transitions, 
skip and redo, so that ‘skip = redo* = °S, skip* = ‘redo = S° , A(skip) = skip 
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and A(redo) = redo. Moreover, all the arcs adjacent to the skip and redo transi- 
tions are unitary and redo, skip ^ Lab. Denote the net S augmented with skip 
and redo by Ssr- Then the transition system generated by S with Mjj 0 is 
dehned as tsx’ = {V, L, A, vq) where V = {0 | &sr £ [T'sr) } is the set of states, 
I’D = T is the initial state, L = mult(Tx’ W {redo, skip}) is the set of arc labels, 
and the arcs are given by: A = {(0, [/,'!') | 0sr £ [T'sr) A 0sr [U) <Z^srj (see 
also hgure 2). In other words, tsx’ is the reachability graph of Ssr with all the 
references to skip and redo at the nodes (but not arcs) of the graph erased. The 
transition system generated by S with Mjj = 0 is dehned as tsx’ = ts^. Figure 2 
shows that adding skip and redo does solve the problem; although the nets S 
and 0 have isomorphic reachability graphs, their ts’s are different. This is not 
a mere chance; ts-isomorphism turns out to be a congruence in the net algebra 
dehned in the next section. It therefore follows that tsx’ can be accepted as a 
good representation of the global behaviour of S. 




Fig. 2. Five nets and the corresponding (labelled) full reachability graphs demonstrat- 
ing that isomorphism of reachability graphs is not preserved by sequential composition; 
the two discriminating ts’s for S and 0 are also shown. 



Plain B oxes. A box is a (possibly inhnite) ex-restricted labelled net S. It is, 
by dehnition, plain if for each transition t G Ts, the label Ax’(t) is a constant 
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relabelling, i.e., Ax’(f) G Lab. A plain box S is static if Mjj = 0 and every 
marking reachable from ° S or S° is safe and clean. A plain box S is dynamic if 
Mjj 0 and every marking reachable from Ms or or is safe and clean. 
A dynamic box A is an entry (exit) box if Ms = °A (resp. Ms = S°). Note 
that the labelled net Aq in hgure 1 is not a box since it has a reachable marking 
which is not clean. The sets of plain static, dynamic, entry and exit boxes will, 
respectively, be denoted by Box*, Box**, Box* and Box*^. 

Operator Boxes. To dehne an operator box we take a simple box i? with 
all relabellings being transformational such that M^ = 0 and all the markings 
reachable from or are safe and clean. But we still need to impose on i? 
one more property, called factorisability [16], dehned next. 

As the transitions of Q are meant to be rehned by potentially complicated 
boxes, it seems reasonable to consider that their execution may take long time 
or, indeed, may last indehnitely. This may be captured by a special kind of 
extended markings. 

A complex marking of i? is a pair (M, Q) composed of a normal marking M 
of i? and a hnite multiset Q of engaged transitions of 17. A standard marking M 
may then be identihed with the complex marking (M, 0). The direct reachability 
between two complex markings (M,Q) and {M',Q') is dehned thus. We have 
(M,Q) {M',Q') if there are hnite multisets of transitions U, V and Z such 

that Z C Q , Q' = Q+V—Z and for every s G S', M{s) > nig and M'{s) = M{s) — 
mg + m'g, where nig = Y.teu+v W{s,t) -{U {t) + V{t)) and m'g = Etec/+z ®) ' 
{U{t) + Z{t)). 

A tuple of sets of transitions of 17, // = (pig, hd, hx, hs) is a factorisation 
of a complex safe (i.e., both M and Q are sets) marking (M,Q) if pd = Q, 
h-g = Tn\ {pe hi pdhl px) and M = *v 1+) v* . Q itself will be called 

factorisable if for every safe complex marking of 17 reachable from the entry 
marking of l7sr, there is at least one factorisation. We will denote by fact^2 the 
set of all the factorisations of all the complex markings of 17 reachable from 
the entry marking, including the only factorisation (0,0,0,T^2) of the empty 
marking. 

The notion of an operator box we have just dehned corresponds to what is 
called an sos-operator box in [5, 16] where the reasons for requiring factorisation 
of 17 are explained in full detail. 

Let 51 : Tq Box* U Box** be a function from the transitions of 17 to static and 
dynamic boxes. We will refer to 51 as an f2-tuple and denote 5Z(r>) by Ey , for every 
V G Tn. If the set of transitions of 17 is hnite, we assume that = {vi, . . . , v„} 
and then denote 51 = (Ay^, . . . , Ey^). We extend the notion of factorisation to an 
l7-tuple 51 of static and dynamic boxes; the factorisation of 51 is the quadruple 
p = [pe, pd, Px, h-g) such that pd = {v \ Ey E. Box’ll for S G {e,x,s}, and 
Pd = {v \ Ey ^ Box**\(Box* U Box'*)}. 

The domain of application of 17, denoted by dom^2, is then dehned as the 
set comprising every l7-tuple of static and dynamic boxes 51 whose factorisation 
belongs to fact^2, and such that, for every v G Tn: 
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Doml If n t;* 7 ^ 0 then Sy is ex-exclustve, where the latter means that, for 
every marking M reachable from Mjj or ° S or S° , it is the case that M n° S = 0 
or M n = 0. 

Doni2 If V is not reversible then Sy is x-directed, where v is reversible if, for 
every complex marking (M,Q) reachable from or i?°, r>* C M implies that 
{M \ v* ,Q U {r’}) is also a marking reachable from or 

In the previously published work on the box algebra, it was assumed that 
all boxes are ex-directed and, in addition, that operator boxes are both hnite 
(though this restriction was not used in [10]) and pure. Making such assumptions 
resulted in a simplihcation of the formal treatment and proofs. The present 
framework is more difficult to handle, but at the same time it is much more 
expressive with obvious implications for the practical applicability of the box 
algebra. 

3 Net Refinement 

Net rehnement embodies a mechanism by which transition rehnement and inter- 
face change specffied by relabellings are combined. Both operations are dehned 
for an operator box i? which serves as a pattern for gluing together a tuple of 
plain boxes 51 along their entry and exit interfaces. The relabellings annotating 
the transitions of i? specify the interface changes to which the boxes in 51 are 
subjected. 

As far as net rehnement as such is concerned, the names (identities) of newly 
constructed transitions and places are basically irrelevant. However, in our ap- 
proach to solving recursive dehnitions on boxes, the names of places and tran- 
sitions play a crucial role since they are a key in the construction of recursive 
nets [3, 10, 16]. 

We shall assume that there are two disjoint inhnite sets of basic place and 
transition names, Proot and Troot- Each name rj G Proot U Troot can be viewed as 
a special tree with a single root labelled with rj which is also a leaf. We shall 
also employ more complex trees as transition and place names, and use a linear 
notation to express such trees. To this end, an expression *<|S, where * is a 
basic name in Proot U Troot or a pair {t, a) G Troot x Lab, and S is a multiset of 
trees, denotes a tree where the trees of the multiset are appended (with their 
multiplicity) to an ^-labelled root. Moreover, if S = {p} is a singleton then *<|S 
will be denoted by x<lp, and if S is empty then *<|S = x. 

We shall further assume that in every operator box, all the places and tran- 
sitions are basic names (i.e., single root trees) from respectively Proot and Troot- 
For the plain boxes, the trees used as names may be more complex. Each tran- 
sition tree is a hnite tree labelled with elements of Troot (at the leaves) and 
Troot X Lab (elsewhere), and each place tree is a possibly inhnite (in depth and 
width) tree labelled with basic names from Proot and Troot, which has the form 
ti <U 2 <1 • • -<lln <ls<lS, where G Troot {n > 0) are transition names 

and s G Proot is a place name (so that no confusion will be possible between 
transition-trees and place-trees: the latter always have a label from Proot and the 
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former never). We comprise all these trees (including the basic ones consisting 
only of a root as special cases) in our sets of allowed transition and place names, 
denoted respectively by Ptree and Ttree- 

Formal Definition. Let Q be an operator box, and 51 G dorn be an 17- 
tuple of static and dynamic boxes in its domain of application. The result of 
a simultaneous substitution of the boxes 51 for the transitions in 17 is a la- 
belled net 17(5I) such that the set of places is defined as the (disjoint) union 
Sfi{T) = Ugt„ uU,6s„ SP^e™ where = {v<]q \ q e Sy} and SP^^™ 

is the set of all 

P — ^ ^ ^ G • s d~ ^ G s* ) (^) 

such that Xy G S° and Cy, G ° Sy, . The marking (label) of a place p in 17(5I) is: 
Ms^(q) (resp. i) ifp = t;<|g £ ST))^^, and 

^ Msjxy) + ^ Ms^icy,) 

(resp. A^ 2 (s)) if p G SP„g„ is as in (1). For a transition j/ of 17 and a place 
p = v<lq G ST)(g,„, we define trees^(p) = {g} if v = y, and trees^(p) = 0 if t; yt j/; 
moreover, for p G SP*g„, as in (1), we define trees^(p) as: {xy, Cj,} if j/ G *s H s*; 
{xy} if j/ G *s \ s*; {cj/} if t/ G s* \ *s; and 0 otherwise. 

The set of transitions is Tq(i) = Ui/gt^ where T(jg„, comprises all t = 
{v, a)<lQ such that Q G mult(Tx’„) and (Ax’„ (Q), a) G Xn (v). The label of t is a. 
Similarly as for places, we will denote by trees(«) the multiset of transitions Q 
upon which a newly constructed transition u = {v, a)<lQ G is based. 

For a place p and transition u in T)jg,„, the weight Wf 2 CE)(p, “) is given by: 

-^ 2 Gtrees^(p) -^tGtrees(u) 

The weight FFr 2 (z)(M,p) is defined similarly. 

Theorem 1. 17(5I) is a static or dynamic box. □ 

Perhaps surprisingly, the above result is not straightforward [6]. 

A running Example. Figure 3 shows an operator box which will serve as 
a running example. l7o is a simple, pure, safe and clean box. It is also factoris- 
able, which can be checked by inspecting all the complex markings reachable 
from the entry or exit marking, and all its transitions are reversible. For ex- 
ample, (°l7o,0) = ({si,S2},0) has a unique factorisation, ({r>i, r> 2 }, 0, 0, {^^s}), 
and the reachable complex marking ({si},{r’2}) has a unique factorisation as 
well, ({r’l}, {^’ 2 }, 0, {^^s})- 111 all, fact^ 2 o comprises 13 factorisations. One can see 
that dom^ 2 o = Box'^ x Box'^ x Box* U Box* x Box* x Box** U Box* x Box* x Box* . 
Figure 3 shows an l7o-tuple of boxes, 51 = {Sy.^, Sy^, Sy^) whose factorisation, 
({i’ll, {^ 2 }, 0, {I’s}); belongs to fact^ 2 o, and the tuple itself belongs to the domain 
of application of the operator box l7o. The box l7o(5I) exemplifies net refinement, 
and the full linear notation for its place and transition (tree) names is also shown 
in figure 3. 
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Pi = Si <|j;i <|gii P 2 = Si <|j;i <|gi 2 wi = (j^i, /)<l{tii, ^ 12 } 

P3 = S3<l{i)l<lgi3,?'3<lg3l} P4 = S3<l{i)l<lgi4,?'3<lg3l} W2 = {V2,c)<it21 

P5 = S2<\V2<\q2l P6 = 'V2<lq22 W3 = {v2,d)<lt22 

P7 = S4<|{j;2<lg23, *'3<lg3l} PS = S 5 <| JJ3 <| g32 W 4 = (*'3 , e) <| ^3 1 



Fig. 3. Boxes of the running example (p = P8d\{({oi}, a), ({&}, b)} U {({a, b}, /)})• 
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Further restrictions on the Domain of an Operator Box. As we already 
mentioned, we have removed some restrictions imposed previously on plain and 
operator boxes, such as ex-directedness. The motivation for such a change came 
from the desire to accommodate within the general scheme operator boxes which 
can express iterative behaviours in an appealing way, such as ^2* in hgure 4 which 
models the behaviour r’*r ’2 (in other words, any number of repetitions of the net 
rehning vi followed by a behaviour of the net rehning r> 2 )- It is worth noting 
that ^2* is useful in modelling guarded while-loops; basically, r >2 corresponds to 
the negation of the guard(s), and vi to the repetitive behaviour. 

Allowing operator boxes like ^2* does not create any problems as far as the 
consistency between nets and process expressions is concerned, but there is now 
a real danger of creating composite nets which are not in agreement with an 
intuitive meaning of operations specihed by operator boxes. For consider the 
expression {h*c) Da. According to our intuition about the operation specihed by 
17* , one would expect that the net model of (&*c) D a might look like the net in 
the middle of hgure 4. But then it may be noticed that, from the entry mark- 
ing, an evolution {&}{&}{«} is allowed, which does not correspond to what one 
expects from a choice construct. The ex-directedness of boxes in the previous for- 
mulations of the box algebra was introduced in order to avoid this non-intuitive 
behaviour in the case of the choice operator. Flowever, if it is ascertained that a 
loop does not occur initially in an enclosing choice, or in an enclosing loop, then 
the problem also disappears, and ex-directedness is no longer required. For ex- 
ample, a net model of a; (&*c), shown in the right of hgure 4 is correct, which can 
be checked by considering all the behaviours from its entry marking. One could, 
of course, ask whether operators like 17* are important enough to justify the 
inevitable complications caused by their adoption within the general framework. 
The answer is yes, since they allow a crisp and faithful translation of looping 
constructs. 




Fig. 4. Operator box (2* and nets modelling (tentatively) (b*c) Da and a; (b*c). 

As a consequence of the above discussion, we formulate two additional con- 
ditions on an i7-tuple 51 in the domain of application of 17. 

Behl If Sy is non-e-directed then *v Cl Q° = 0 = *(*t; fl °17), (*t^)* = {t^}, and 
all the boxes Syj for w G *(*r’) are x-directed. 

Beh2 If Sy is non- x-directed then v* fl °Q = 0 = (t;* n 17°)*, *(t^*) = {t^}, and 
all the boxes Sy, for w G (v*)* are e-directed. 

Adding (Behl) and (Beh2) makes the problem described above disappear. 
For example, in SUO, both S and 0 should be ex-directed; and in A;0, S 
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should be x-directed or 0 should be e-directed. Then one can see, for example, 
that a behaviour of D 0 is a behaviour of or a behaviour of 0, whereas a 
behaviour of d7; 0 is a behaviour of S, or a terminated behaviour of S, followed 
by a behaviour of 0. 

In view of the conditions expressed by (Doml-Dom2) and (Behl-Beh2) it is 
relevant (and, as our experience shows, entirely satisfactory) to have the following 
sufhcient conditions for e-directedness, x-directedness and ex-exclusiveness, in 
the rehnement context. 

Proposition 1. // 12 and Sy , for every v G (°f2)* (resp. v G are all 

e-directed (resp. x-dtrected) boxes, then so is 12(51), □ 

Proposition 2. Let Q be an ex-exclusive operator box and suppose that, for 
every v ETq satisfying *vC)°f2f^^f^v*nf2° or v*n°f2f^^f^*vC)f2°, it is 
the case that Sy is ex-exclusive. Then 12(51) is ex-exclusive. □ 



4 The Box Algebra 

The box algebra is a meta-model parameterised by a set ConstBox of static 
and dynamic plain boxes which provide a denotational semantics of simple pro- 
cess expressions, and a disjoint set Op Box of operator boxes which provide in- 
terpretation for the connectives. The only assumption is that for all distinct 

T,0 E ConstBox U OpBox, 

Svj/ U Tyj/ C Proot U Troot ^nd Svj/ n Ss = Tyj/ n T@ = 0. (2) 

These assumptions are needed, for instance, to apply the results on solving re- 
cursive systems of equations on boxes obtained in [10]. 

Syntax We consider an algebra of process expressions over the signature ConstU 
{(.), (.)}U{op^ I f2 E OpBox} where Const is a hxed non-empty set of constants, 

(.) and (.) are two unary operators, and each op^ is a connective (whose arity 
is the number of transitions of f2). The set of constants is partitioned into the 
static constants. Const*, and dynamic constants. Const**; moreover, there are two 
disjoint subsets of Const**, denoted by Const* and Const*^, and respectively called 
the entry and exit constants. We will also use a hxed set Var of process variables. 

We shall make use of four classes of process expressions corresponding to 
previously introduced classes of plain boxes: the entry, dynamic, exit and static 
expressions, denoted respectively by Expr*, Expr**, Expr*^ and Expr*. Collectively, 
we will refer to them as the box expressions, Expr***®. We will also use a coun- 
terpart of the notion of the factorisation of a tuple of boxes. For an operator 
box f2 and an f2-tuple of box expressions D (we again use the notation Dy to 
access individual members of D), we dehne the factorisation of D to be the tuple 
p = [pe, pd, Px, Ps) such that ps = {v \ Dy E Expr*^}, for S E {e,x,s}, and 
Pd = {v \ Dy ^ Expr** \ (Expr* U Expr**)}. 
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The syntax for the box expressions Expr“*® is given by: 



Expr® 


E 


:= c® 




°Pn 


(E) 


Expr® 


F 


:= c® 


E 


°Pn 


(F) 


Expr®^ 


G 


:= 


E 


°Pn 


(G) 


Expr®* 


H 


:= c®* 


E 


G 1 


oPr2(H 



where G Const‘S, for (i G {e,x,s}, and G Const‘S \ (Const® U Const“^) are 
constants; df G Var is a process variable; i? G OpBox is an operator box; and E, 
E, G and El are i?-tuples of box expressions. The factorisations of E, E and G 
are respectively factorisations of the complex empty, entry and exit markings of 
17, and the factorisation of H is a factorisation of a marking reachable from the 
entry or exit marking of 17 different from ° 17 and 17° . For every process variable 
X E Var, there is a unique dehning equation X = op^(L) where Q E OpBox is 
an operator box and L is an l7-tuple of process variables and static constants. 

The above syntax does not incorporate the conditions (Doml) and (Dom2). 
We could, of course, add these in a purely syntactic way, by taking advantage of 
the two results characterising compositionally dehned ex-exclusive and x-directed 
boxes, i.e., propositions 1 and 2. However, we found it simpler to explicitly 
describe syntactic restrictions implied by (Doml) and (Dom2), after giving a 
translation from the constant expressions to boxes. 

Infinite Operators. If each operator box 17 in OpBox has Rnitely many tran- 
sitions, the meaning of the syntax (3) is the usual one; it simply defines four 
sets of finite strings, or words. In the general case, however, we need to take into 
account l7’s with infinite transition sets, and one should ask what precisely do 
we then mean by the syntax (3) and the expressions it generates. Our answer is 
that expressions can, in general, be seen as trees and the syntax definition above 
as a definition of four sets of such trees. In what follows, we will use a still more 
general set of process expressions (we shall need this larger set of expressions 
later on, in the definition of a similarity relation on process expressions, and the 
definition of the inference rules of the operationa31 semantics) over the signature 
of the box algebra, denoted by Expr and referred to as expressions, defined by: 

C ::= c I X I C I C I op^(C) 

where c E Const is a constant, E Var is a variable, and C is any l7-tuple of 
expressions, for 17 E OpBox. The precise meaning of expressions defined by this 
syntax is given by (possibly infinite) trees which do not have infinite paths from 
the root and are essentially syntax trees of the expressions they represent. The 
technical treatment is based on transhnite induction [6]. 

It follows directly from the syntax (3) and the assumptions we made that 
Expr® and Expr“^ are disjoint subsets of Expr®*, and that the static and dynamic 
expressions are disjoint sets; thus the factorisation of an l7-tuple of box expres- 
sions is always a partition of the set of transitions of 17, T^. 

It is convenient to have a notation for turning an expression in Expr into 
a corresponding static one. We again use [H \ to denote such an operation; it 
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removes from H all the occurrences of (.) and (.), and replaces every occurrence 
of each dynamic constant c by the corresponding static constant [cj (i.e., we 
assume that each dynamic constant c is associated to a unique static constant, 
denoted [cJ). The operators (.), (.) and [.J can be applied in the usual way (i.e., 
elementwise) to sets as well as tuples of expressions. The same will be true of the 
semantical mapping box and the structural similarity relation =, dehned later 
on. In what follows, the expressions in Const U Const* U Const* , i.e., those not 
involving any connective op^ nor a process variable, will be referred to as flat. 

We will continue to use the boxes depicted in hgure 3 in order to con- 
struct a simple yet illustrative algebra of process expressions. The Do It Your- 
self (DIY) algebra is based on two sets of boxes, ConstBox = {^1,^11, ^12} U 
{^2,^21,^22,^23}U{^3} and OpBox = where =(Pi = (for all i 

and i), = {gn, 514}, = {gis, 512} and = {q2k} (for k = 1 , 2 , 3 ). 

The constants of the DIY algebra correspond to the boxes in ConstBox: Const® = 
{c2i}. Const* = {ci, C2, C3}, Consfo = {023} and Const** = {cn, C12, C21, C22, C23}. 
Moreover, [cij\ = Ci, for every dynamic constant Cij. The syntax of the DIY 
algebra is obtained by instantiating ( 3 ) with concrete constants and operator 
introduced above. For example, the syntax for the static and entry expres- 
sions is given respectively by E ::= ci | C2 | C3 | Y | op^ (E,E,E) and 
E ::= C21 I Y I opn^{E,E,E). 

4.1 Denotational Semantics of the Box Algebra 

The denotational semantics is given in the form of a mapping box from box 
expressions to boxes. To begin with, constant expressions are mapped onto con- 
stant boxes of corresponding types, i.e., for every constant c and d G {e, d, x, s}, 
c G Const*^ — box(c) G Box*^ Cl ConstBox. It is also assumed that, for every 
dynamic constant c, the underlying box is the same as for the corresponding 
static constant, i.e., [box(c)J = box([cJ), and that for every (non-entry and non- 
exit) dynamic box E reachable from an initially marked constant box there is a 
corresponding dynamic constant c, i.e., box(c) = E. 

Syntactic restrictions resnlting from (Doml) and (Dom 2 ). We now 

introduce into the box expression framework the constraints (Doml) and (Dom 2 ) 
imposed on the tuples of plain boxes in the domain of application of an operator 
box. We assume that within the set of box expressions generated by the syntax 
( 3 ), three additional sets of expressions have been dehned: the set of well formed 
expressions, Expr™-^, which comprises all hat expressions, among others; the set of 
ex-exclusive expressions, Expr®*^®* C Expr™-^; and the set of x- directed expressions, 
Expr*^***® C Expr™-^, in such a way that they are the largest sets of expressions 
such that the following are satished: 

- tor every constant c in bxpr or bxpr , box(cj is ex-exclusive or x- 
directed, respectively. 

- For all expressions E and Y in Expr™-^, Expr®*^®* or Expr*^***®, the expression 
E belongs to Expr™-^, Expr®*^®* or Expr*^**'®, respectively. 




The Box Algebra - A Model of Nets and Process Expressions 



357 



- For every variable X in Expr™-^, or Expr^'^*’^ defined by df = op^(L), 

the expression op^(L) belongs to Expr™-^, Expr®^^* or Expr^'^*’^, respectively. 

- For every well formed expression op^(D), the expressions in D are also well 
formed and, for every v G Tq, if *r> H t;* yf 0 then is ex-exclusive, and if 
V is not reversible then is x-directed. 

- For every ex-exclusive expression op^(D), Q is an ex-exclusive operator box 

such that, for every v ^ To satisfying ort;*n°i7yf 

0 yt *t; n i?°, Dy is ex-exclusive. 

- For every x-directed expression op^(D), Q is an x-directed box and the 

expression Dy, for every v G is x-directed. 

Restrictions similar to those formulated above can also be introduced to 
render the conditions (Behf) and (Beh2). 

If all operator boxes in Op Box are pure and have only reversible transitions, 
then we can take Expr™-^ to be the entire set of box expressions dehned by the 
syntax (3), i.e., Expr™-^ = Expr“*®. It is both interesting and relevant to observe 
that the standard PBC [4] can be treated in this way; moreover, this is also the 
case for the DIY algebra. 

To simplify the presentation, in what follows we will implicitly assume that 
Expr“*® contain only well formed expressions. 

Variables. With each dehning equation X= op^(L), we associate an equation 
on boxes X = i?(A) where Ay = Ly if Ly is a process variable (treated here as a 
net variable), and Ay = box(Tt,) if Ly is a static constant. This creates a system 
of equations on boxes of the following form (one equation for every variable V 

in Var): 

V = (2x{Ax). (4) 

On the right-hand side, is an operator box with the empty marking, and 
Ax is an i?x-tuple whose elements are either recursion variables or static boxes. 
Now, given a mapping sol : Var Box* assigning a static box to every variable 
in Va r, we will denote by Ax [sol] the i?x-tuple obtained from Ax by replacing 
each variable Y by sol(Y). Then, a solution of the system of equations (4) is 
an assignment sol such that, for every variable V G Var, sol(V) = i?x(Ax[sol]), 
where ‘=’ denotes equality on nets. It turns out [3,6,10,16] that the system 
of net equations (4) always has at least one solution and that all the solutions 
have the same behaviour since the corresponding static boxes have isomorphic 
transition systems (the latter will follow from theorem 6 below). We then hx any 
such solution sol and dehne, for every process variable X, box(V) = sol(V). 

Compound Expressions. The dehnition of box is completed by considering all 
the remaining static and dynamic expressions. For every box expression op^(D) 
and every static expression E, box(op^(D)) = i?(box(D)), hox{E) = hox{E) and 
box(Y) = hox{E). 

Theorem 2. Eor every well-formed box expression D, hox{D) is a static or 
dynamic box such that, for every S G {e, d, x, s}, D G Expr*^ — box[D) G Box*^. 
Moreover, if D is an ex-exclusive or x-directed expression, then hox{D) is an 
ex-exclusive or x-directed plain box, respectively. □ 
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In the case of the DIY algebra, we dehne the box mapping by setting, for every 
static constant cp box(cj) = <Pi, and for every dynamic constant Cij, box(cjy) = 
<Pij. Other than that, we follow the general dehnitions. E.g., the box in hg- 
ure 3 can be derived thus: box(op^ (nf, C 22 , C3))= f?o(box(nf), box(c 22 ), box(c3)) = 
i?o( box(ci), <^ 22 , i?o( tp 22 , (2o{Uy^ , , ^1,3)= i?o( 5 I). 

4.2 structural Similarity relation on Expressions 

A structural similarity relation on box expressions, =, provides a partial struc- 
tural identihcation of the box expressions with the same denotational semantics. 
We introduced a larger set of expressions than it was strictly necessary to ensure 
that the rules of the structural equivalence (and, later, operational semantics) 
act as term rewriting rules. That is, whenever a box expression can match one 
side of such a rule, then it should be guaranteed that the other side is a box 
expression of the correct type too. Hence, we need to allow provisionally more 
general expressions, such as X , c, D_ and op^(C), where C does not correspond 
to a factorisation in fact^ 2 , just to be able to express and prove properties saying 
that we do not need them actually. Formally, we dehne = to be the least binary 
relation on expressions in Expr such that (5) — (9) below hold. 

— For all expressions D, H and J , 

( 5 ) 

— For all hat expressions D and H satisfying box(H) = box(iJ), and all equa- 
tions A = op^ 2 (L), 

( 6 ) 

— For every operator box i? in Op Box and all factorisations /j, and k of, respec- 
tively, and 

( 7 ) 

where D, J and H are i7-tuples of expressions such that, for every v G Tn, 
Dy = Hy if G //e and Dy = Hy otherwise; and Jy = Hy if v ^ Ky and 
Jy = Hy otherwise. 

— For every operator box Q in Op Box, for every complex marking reachable 
from the entry marking of 17, different from °17 and 17°, and for every pair 
of different factorisations /j, and k of that marking, 

( 8 ) 

where D and H are l7-tuples of expressions for which there is an l7-tuple of 
expressions^ C such that, for every v G Tn, Dy = Cy if v [ly, Dy = Cy if 

^ The tuple C used in the formulation of (8) intuitively corresponds to the ‘common’ 
part of D and H. 



0Pr2(D) = op^2(H) 




\D = H 



X = op^2(L). 
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V (z Hx and Dy = Cy otherwise; and Hy = Cy if v ^ Kg, Hy = Cy if v ^ Kx 
and Hy = Cy otherwise. 

— For all expressions D and H , for every operator box Q in Op Box, and for all 
17-tuples of expressions D and H : 



(9) 



The meaning of the similarity relation = is standard if we only consider op- 
erator boxes OpBox with hnite transition sets. In the general case, we use a 
technique similar to that employed in the case of syntactic dehnition of expres- 
sions. 

The structural similarity relation is closed in the domain of box expressions^ 
and preserves the types of expressions it relates. 

Theorem 3. If D and H are box expressions, then D = H if and only if[D\ = 
[H \ and box(If) = box(iJ). □ 

Thus = is a sound equivalence notion from the point of view of denotational 
semantics; it is also complete in the sense that hox{D) = box(iJ) implies D = H 
provided that [IfJ = [H\. The latter condition cannot be left out and, in terms 
of the DIY algebra, a counterexample is provided by the expressions D = X 
and H = Y, where X and Y are variables dehned hy X = l7o(ci,ci,Y) and 
Y = f2o(ci,ci,Y). 

The DIY algebra gives rise to hve specihc rules for the structural equivalence 
relation (we omit here their symmetric, hence redundant, counterparts). The hrst 
two are derived from (6): cj = C21 and C2 = C23. The third and fourth are derived 
from (7): JE,F,G) = op^j JE,F,G) and op^j JE,F,G) = op^j JE,F, G) . 

There is a single instance of (8): op^^(Y, Y, G) = op^^{E , F, G). But also 
opj^^{E, F, G) = op^^(Y, Ff,G) which shows why it was necessary to use a 
larger set of expressions than Expr“*®. An application of these rules (more pre- 
cisely, rules (5) and (9)) is illustrated by the following derivation tree: 

C23, C3) = op^^(ci, C2, cT) 

, ■ , 

®Pj 7 q (£ 1_5 C 23 ,C 3 ) = OPj 7 q (£ 1_5 £^5 *-3 ) ^PUq (£ 1_5 £ 2_5 *-3) = OPj7p(ci,C2, C3) 

' — ^ ^ — - 

Cl = Cl C23 = C2 C3 = C3 



D = 


H 


D = 


H 


D = H 


D = 


H 


D = 


Y 


op^2(D) = op^2(H) 



4.3 Transition rnles of the Operational Semantics 

We now introduce operational rules based on the transitions of boxes which 
provide the denotational semantics of the box algebra expressions. Consider 

^ That is, whenever a box expression can match one side of a rule, then it is also 
guaranteed that the other side is a box expression too. Similar comment applies to 
the rules of the structured operational semantics. 
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the set of all the transition (tree) names in the boxes derived throngh the box 
mapping 



-rO,lg 

' tree 



U_D 6 Expr“'» 



^box(D) 



U_E 6 Expr® 



^box(E) • 



One can see that each t G has a unique label, lab(t), in all (possibly different) 
boxes associated with box expressions in which it occurs. The derivation system 
we shall dehne has moves of the form D H , where D and H are expressions 

and 17 is a hnite subset of TC/g® U {skip, redo}. The idea here is that 17 is a valid 
step for the boxes associated with D and 77, after augmenting them with the skip 
and redo transitions. We will denote, for every such set, lab(17) = {lab(7)j 

assuming that lab(skip) = skip and lab(redo) = redo. A move D 77 has 
a special interpretation: the empty step 17 = 0 signihes that D and 77 are 
representations of the same system, and the only difference is that they present 
two possibly different views on it. 

Formally, we dehne a ternary relation — y which is the least relation com- 
prising all the triples (77, 17, 77), where D and 77 are expressions and 17 is a hnite 
subset of TC/fg U { skip, redo), such that (10)-(13) below hold. Note that instead 
of writing (77, 17, 77) G — y we use the notation 77 77. 



— For every static expression 77: 



_ {skip} 

E ^ E 



{redo} 

E ^ E. 



( 10 ) 



— For all box expressions 77, J and 77: 



77 = 


77 


77^ 


J 


-^77 


77 


J 


-^77 


77^ 


> 77 


77 


u 

— > 


77 


77 


u 

— > 


77 



— For every hat expression 77 and a non-empty step of transitions U enabled 
by box(77), there is a hat expression 77 such that box(77) [17) box(77) and: 



( 12 ) 




— For every i? G OpBox, and all i7-tuples D and H of expressions: 





17} i±l • • • i±l I/*” 




'iveT 


Dy y Hy 


Mi < ky : (lab(17}), a}) £ A^ 2 (^^) 




oPr2(D) op^2(H) 


where 




(v, ay")<\Uy"} is hnite. 



( 13 ) 
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Notice that the only way to generate a skip or redo is through applying the 
rules (10); i.e., if D H then skip £ U implies U = {skip}, and redo G U 
implies U = {redo}. The meaning of the operational semantics is standard if all 
the boxes in Op Box have hnite transition sets; in general, however, we need to 
treat inhnite operator boxes as well. The detailed treatment closely follows that 
for =. 

A move of the operational semantics transforms a box expression into another 
box expression with structurally equivalent underlying static expression, and the 
move generated is a valid step for the corresponding boxes. We interpret this as 
a result establishing the soundness of operational semantics. 

Theorem 4. Let D be a box expression and D H . Then H is a box expres- 
sion such that box(T))sr [U) box(iJ)sr and [D\ = [H\. □ 

The next result establishes the completeness of operational semantics. 



Theorem 5. Let D be a box expression and box(T))sr [U) Ssr- Then there is a 
box expression H such that box(iJ) = S and D H . □ 



In the DIY algebra, the axiomatisation of the flat expressions is given by 

{^2l} {^ 12 } {^2l} {^ 11 ,^ 12 } 

C2 C 22 , Cl Cll, C 21 C 22 , Cl Cl, 



,n . 

the axioms: ci 



C 12 , 



{* 22 } 

C22 C 2 , 



{* 12 } 

C 12 Cl, 



{^22} 1 {^ 3 l} . . . P 

C 22 C 23 , Cll Cl and C 3 C 3 , and the mterence 



rule for the only operator box, can be formulated thus: 



{yi,...,y7n} { 2 : 1 , ...,2^7^} 

D < D' , H < H' , G < G' 

op^^{D,G,H)e^op^^{D',G',W) 



where k, l,m,n> 0; {lab(tj), lab(Mj)} = {a, &}, for every i < k] lab(*j) ^ {a, &}, 
for every i <L, and the step U is given by: 

{(i)i, /)<]{ti, ui}, . . . , {vi, f )<l{tk,Uk}} U {(di, lab(a;i))<|2;i, . . . , (ci, lab(a;i)) <2;;} U 
{{v2, lab(yi))<|yi, . . . , (1)2, lab(y„))<|ym} U {(1)3, lab(2;i))<|2;i, . . . , (1)3, lab(2;„)) <|2;„} 



For example, the following is a valid sequence of three moves 



OPl2o(ciT2,C3) OPi 2 „(C]_, C22,C3) OPi 2 „(ci,C 2 , C 3 ) OPi^^ (ci , C 2 , C 3 ) 



A derivation tree for the hrst move is shown below: 

. {W1,W2} 



OPl2o(ciT2,C3) OPi2„(C]_, C22,C3) 



(t’l \ 

21 / 



oPfi„(ci,C2,C3) 7 7 ' 

0 °'9floGlG2,CV Opjj^(C]_, C22,C3) 

^ 

{^ 11 ,^ 12 } {^2l} 0 



OPl2o(ci>C2,C3) 



Cl Cl C 2 C 22 C 3 C 3 
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5 The main Result 

The consistency between the denotational and operational transition based se- 
mantics of box expressions will be expressed by making a statement about the 
transition systems they generate. Below, for every box expression D, [D) is the 
smallest set of expressions such that D G [D) , and if H G and H G [D) 
then G G [D) ; moreover, [D]= denotes the equivalence class of = containing D. 

With each dynamic expression D we shall associate the transition system 
tsD = (V, L, A, [£>]=) such that: L — the set of all hnite subsets of U 
{skip, redo} — is the set of move labels; V = {[H]= \ H G [D) } is the set 

of nodes; the arcs are given by A = |([iJ] = , U, [G]=) | H Gj; and [D]= is 
the initial node. Moreover, with each static expression E, we shall associate the 
transition system ts^ = ts^. 

We now can state a fundamental result which holds for the box algebra. In 
a nutshell, it proves that the operational and denotational semantics of a box 
expression capture the same behaviour, in arguably the strongest sense. 

Theorem 6. Let D be a box expression. Then tso and tS[,ox(£)) ore isomorphic 
transition systems. Moreover, 

iso = {{i>, box(iJ)) I n IS a node in tso and H ^ n} 

IS an isomorphism for tso and tS[,ox(£))- D 

The operational semantics based on transition trees is very expressive. How- 
ever, it may sometimes be sufhcient to record only the labels of the executed 
transitions, in the usual style of process algebras. Such a treatment can easily be 
accommodated within the scheme developed so far and a counterpart of theo- 
rem 6 formulated and proved correct [6] . The two types of operational semantics 
are related; in essence, each label based move is a transition based move with 
only transitions labels being recorded. 

Theorem 6 extends also to partial order semantics based on Mazurkiewicz 
traces [17] - a model of partial order behaviour based solely on transitions. 
Briefly, given a step sequence ui and an independence relation ind, one can dehne 
a meaningful partial order posetj„j(w) which is fully consistent with the standard 
causality semantics. For a labelled net E, ind = indx’ is dehned in the usual way; 
for the box expression model, it is possible to dehne a relation ind“*® C Tt}^® xTt}^® 
such that, for every box expression D, indt,ox(£)) = {Tbox(D) x Tbox(D)) l~l ind“*®. 
With such an ind“*® - a global independence relation - the consistency result 
obtained for transition based operational semantics can be lifted to the level of 
partial order executions, using the above property and theorem 6. 
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Abstract: We show how the branching process approach can be used for the detection 
of illegal behaviors. Our study is based on the specification of properties in terms of 
testers that cover safety as well as liveness properties. We demonstrate that the 
unfolding method can be used in this context and propose an extension of it, called 
unfolding graphs, for the computation of failure equivalent graphs. 

Keywords: Model Checking, Partial Order, Failure Equivalence, Petri Net 



1. Introduction 

One of the main problems of exhaustive system verifications is the so called state 
explosion. Some methods ([Pel93], [God96], [Val91], [Val93]) avoid the exploration 
of the complete state space during verification operating reductions by using partial 
order semantics. These reductions are defined to preserve information necessary for 
verification. Another approach consists in implementing the verification directly on a 
representation of the partial order. Branching processes (or unfoldings) ([NPW81], 
[Eng91]) propose branching semantics of partial orders for Petri nets. McMillan 
[McM92] has described the construction of a finite branching process in which all 
reachable markings are represented. He has shown how branching processes can be 
used for the detection of global deadlocks and the reachability problem for finite state 
space Petri nets. Many improvements of this method concern the efficiency of the 
unfolding construction and the verification of safety properties, or the verification of 
branching temporal logic [Esp93] and linear temporal logic [CP96], [Poi96], [Wal98]. 

We present how the branching process approach can be used for the detection of 
illegal behaviors. Our study is based on the specification of properties in terms of 
testers [Val93] which cover safety and liveness properties. We demonstrate that the 
unfolding method can be used in this context and propose an extension of it, called 
unfolding graphs, for the computation of failure equivalent graphs [Val90]. 

After a presentation of the Petri net model and the associated partial order 
semantics, we recall the notion of tester and the corresponding verification process. 
In the sequel, we discuss the use of unfolding in this context and present a simple 
characterization of illegal behaviors. Then, unfolding graphs are introduced and 
discussed. Finally, a section is dedicated to the experimentation of the different 
methods and some concluding remarks close the paper. 

2. Preliminaries 

The first part of this section presents some basic notions and notations of P/T net, 
processes, and branching processes. The second part describes how properties of a 
system can be expressed by means of testers. 
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P/T Nets and their behaviors 

We assume that the reader is familiar with the basic notions and notations of P/T 
nets as given for instance in [Mur89]. We denote a P/T net hy N = (P, T, F, mg) where 
(P, T, F) is a net and nig is its initial marking. The set of predecessors of a transition t 
is called its precondition and is denoted by 't. Its set of successors is called its 
postcondition and is denoted by f. For a given marking, a transition is said to be 
enabled if each place of its precondition contains at least one token. The firing of a 
transition produces a new marking by removing one token from each place of its 
precondition and by adding one in each place of its postcondition. The set of 
reachable markings of a net N is denoted by Reach(N). The transition system of a P/T 
net N is (Reach(N), T, F, nig) where F = {(m, t, m’) I m(t>m’}. By extension, a 
labeled P/T net N is denoted hy (P, T, E, X, F, nig) where i/is the action set and A, is an 
application from T to E. It also defines a transition system. 

An alternative to this representation is to describe system behaviors by particular 
labeled P/T nets called processes. In a process, places and transitions are respectively 
called conditions and events. A process is a labeled P/T net for which each condition 
has at most one input and one output event. Conditions without input event are said to 
be initial and those without output events are said to be final. The initial process of a 
net is formed by a set of conditions, one for each token of the initial marking. The 
label of a condition corresponding to a token is the place of the original net containing 
it. It is clear that in the initial process, each condition is initial and final. A new 
process is constructed from a given process by connecting to some final conditions of 
the process a new event labeled t with its output conditions. To be valid, the labels of 
the input and output conditions must coincide with the input and output places of the 
transition t of the original net. It is important to note that a process is cycle free by 
definition and that the notion of process takes into account the concurrence of the 
transition firings. 

The construction of all the possible behaviors of a net leads to the construction of 
a new type of labeled P/T net called a branching process. In a branching process, each 
condition has at most one input event and the net is cycle free. Conditions without 
input events are called initial. Processes of a branching process are their sub graphs 
for which at each condition has at most one output event and such that the set of 
conditions without input events is exactly the set of initial conditions of the branching 
process. A given branching process can be extended by the extension of one of its 
processes. This operation is valid only if there does not exist a distinct event with the 
same input conditions and the same label in the branching process. This construction 
can lead to an infinite branching process even in the case of a finite state system. The 
construction of a particular finite prefix of the complete branching process is the 
starting point of the unfolding techniques presented in following sections. 

We denote a (branching) process of a net N = (P, T, F, nig) by U = (B, E, W, h) 
where B and E are the sets of conditions and events respectively, W is the flow 
relation and h is a. labeling function from Beds to PUT. To be a valid (branching) 
process of N, U must satisfy the constraints above. 

As previously seen, processes and branching processes are cycle-free graphs by 
definition. This characteristic induces a partial order relation < on the nodes 
(conditions and events) of the graph. In this order, the initial conditions are the 
smallest elements (denoted by Min(U)). Each pair (x, y) of nodes of a branching 
process belongs to precisely one of the following relations: 
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■ Causality relation: x is before y (x <y) or x is after y (x ^y), 

■ Conflict relation (x # y): two distinct events, one before x and the other before y, 
share an input condition, 

■ Concurrency relation {x//y)\ x and y are neither in conflict nor causal. 

The causality relation x<y between two events reveals that in any process where y 
can be fired, the event x is fired first. Two events in conflict can not be fired in the 
same process, while two concurrent events can be fired in parallel. The relations on 
the conditions are interpreted in a similar way. In particular, a set of concurrent 
conditions can be marked in the same state. In a process, two nodes are either 
concurrent or causal. 

A configuration is a set of conflict-free events (no pair of events belongs to the 
conflict relation) and closed by the causality relation (each event which is before any 
event of the configuration belongs to the configuration). Configurations exactly 
describe the processes of an unfolding: the set of conditions and events constructed 
from the events of a configuration completed by their surrounding conditions and the 
initial ones is a process; respectively events of a process form a configuration. We 
denote by Conf(U), the set of configurations of a (branching) process U and by 
MaxConfU) c ConfU) the set of maximal configurations (w.r.t. set inclusion). The 
minimal configuration (w.r.t. set inclusion) which contains an event e is called the 
local configuration of e and is denoted [e]. By extension, for a condition b, we denote 
by [b] the local configuration ["b] if b has an input event, and the empty set 
otherwise. Moreover, for a set A cBuE, [A] denotes the event set obtained as the 
union of local configurations of the elements of A. Note that [A] is not necessarily a 
configuration. For a configuration C, we denote by Cut(C) the condition set defined 
by (Min(U) U C») \ •C. It is clear that h(Cut(C)) corresponds to the marking of N 
reached after the firing of h(C). 




Figure 1: A P/T net and one of its process 



The Figure 1 presents a P/T net and one of its processes. One can note that this 
process is maximal and leads to a dead marking. The Figure 2 presents the (infinite) 
complete branching process of the net and a finite branching process called the 
unfolding. This unfolding has some “good properties.” In particular, it is possible to 
demonstrate the reachability of a marking from the initial one and the presence of 
dead markings. 
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Figure 2: The complete branching process and one unfolding of the net. 

In the sequel we use the following particular notations: 

• p = (B{p), E{p), W(p), h(p)) is used to denote the different components of 
branching process p. 

• TT(C) is used to denote the process corresponding to a configuration C and 
IT(C\C1 ) when ClcC denotes the process from Cut(Cl ) composed by the events 
C\C1. 

• 7tl <7i2 means that process 7tl is a prefix of process 7l2. 

• Ttl.TfZ is a concatenation of two processes such that h(Cut(7tl)) = h(Min(7f2)). 

• Co is the artificial initial event which produces the initial marking of any 
branching process. 

Tester and failure equivalence 

A tester [Val93] is an automaton that controls the behavior of a labeled P/T net 
through a subset of actions said to be controlled. The edges of the tester are labeled by 
controlled actions. Hence, a P/T net behaves without constraint for transitions labeled 
by uncontrolled actions and is synchronized with the tester for transitions labeled with 
controlled actions. Biichi automata are a particular kind of testers for which all the 
actions are controlled. 

The tester states are typed (mortal reject, deadlock reject, live reject and divergent 
reject) and lead to the detection of illegal behaviors: 

1 . Mortal illegal behavior: behavior leading the tester into a state of mortal reject. 

2. Deadlock illegal behavior: deadlock behavior (which can not be extended) 
leading the tester into a state of deadlock reject. 

3. Live illegal behavior: Infinite behavior which leads the tester an infinite number 
of times into a state of live reject. 

4. Divergent illegal behavior: Infinite behavior which leads (and leaves) the tester 
into a state of divergent reject. 

Detection of illegal behaviors of types 1 and 2 involve reachability problems and 
behaviors of types 3 and 4 involve cycle detection in the reachability graph. 

Definition (tester): A tester Z is a tuple (Q, Control, H, qo, Mortal, Deadlock, Live, 
Divergent) where 

• Q is a set of states, 

• Control is a set of controlled actions. 
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• // is a transition relation (H cQ X Control X Q), 

• qo is an initial state (qo€ Q), 

• Mortal, Deadlock, Live and Divergent are subsets of Q. 

The Figure 3 gives a symbolic notation for qualifing the type of the tester states and 
presents some simple tester samples. Tester 1 detects the deadlock behaviors of a net. 
Tester 2 exhibits behaviors which are not in the language (ab) +(ab) a. Tester 3 
detects divergent behaviors of the form ababab ... ba. 



Cl : mortal reject 
d> : deadlock reject 
V : divergent reject 
X : live reject 
— ^ : initial marking 




Figure 3: Tester samples 



The synchronization of a tester with a transition system gives a new transition system 
defined as follows. 

Definition (synchronization): Let Z = (Q, Control, H, qo. Mortal, Deadlock, Live, 
Divergent) be a tester. Let Sys = (S, E, F, sg) be a transition system such that Control 
cE. Define Z // Sys to be the transition system (S’, E, F’, Sg’) such that 

• S’ = Q xS 

• E = E 

• F’ = l((qi, Si), a, (q 2 , S 2 )) s S’xE’XS’: (qi, a, ^ 2 ) ^ H a (sj, a, S 2 ) e F} u 

(((q, Si), a, (q, S 2 )) e S’xE’xS’: a ^ Control a(S], a, S 2 ) e Fj 

• Sg’ = (qo. So) 




Figure 4: Samples of labeled P/T nets 
Illegal behavior can be defined for a synchronization. 

Definition (illegal behavior): Let Z be a tester and Sys be a transition system. Let <7 = 
(qo. So) ao (qi, Sj) aj ... be a finite (i € [0, n]) or infinite (i € /f) behavior of Z // Sys. 
We say 

1. (Tis a mortal reject behavior iff 3i: q-, e Mortal, 

2. (Tis a deadlock reject behavior iff cris finite Aq„ e Deadlock a (q„, s„)" = 0, 

3. (Tis a live reject behavior iff fi I qi e Live} and (i I a, e Control] are infinite, and 
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4. (Tis a divergent reject behavior iff cris infinite aBIq: qm^ Divergent aVI > ig, a,- 
^ Control. 

By synchronizing testers of Figure 3 with labeled P/T nets of Figure 4, we obtain the 
table of Figure 5. A “reject” specifies that tester has detected an illegal behavior. 





Tester 1 


Tester2 


Tester3 


PNl 


Reject 






PN2 








PN3 




reject 


reject 



Figure 5: Tester results 



The synchronization of a tester Z can also be directly done on a labeled P/T net N. 
The synchronization consists in the construction of a new P/T net, denoted Z // N. It 
corresponds to the fusion of transitions with regard to controlled actions followed by 
the association of a place of the new P/T net Z // N to each state of the tester. We 
denote by Mortal(Z // N), Deadlock(Z // N), Live(Z // N) and Divergent(Z // N) the 
corresponding sets of reject places and Tester(Z // N) the tester place set. 

The four forms of illegal behaviors are translated in the following way: 

1 . Mortal illegal behavior: behavior which marks a place of mortal reject, 

2. Deadlock illegal behavior: finite behavior which the final marking is a deadlock 
and contains a marked place of deadlock reject, 

3. Live illegal behavior: Infinite behavior modifying infinitely often the marking of 
a place of live reject, and 

4. Divergent illegal behavior: Infinite behavior which marks and leaves marked a 
place of divergent reject. 

Moreover, illegal behavior can be expressed in terms of processes. 

Definition (illegal process): Let Z be a tester and A be a labeled P/T net. Let ;:rbe a 
finite or infinite process of Z//N. Then 

1. is a mortal reject process iff € B(7T): h(b) e Mortal(Z//N), 

2. is a deadlock reject process iff ^ is finite and maximal a h(Cut(7T)) n 
Deadlock(Z // N) ^ 0, 

3. is a live reject process iff { b € B(7t) I h(b) € Live(Z // N)j is infinite, and 

4. ;:r is a divergent reject process iff k is infinite a 3b € B(7t): h(b) € Divergent(Z 
//N) Ab'=0. 

The companion piece to the notion of tester is the failure equivalence [Val90]. Two 
P/T nets axe failure equivalent with respect to a set of controlled actions iff the set of 
testers detecting an illegal behavior are the same for both nets. This equivalence 
relation is a congruence with respect to the synchronization operation on labeled P/T 
nets with respect to the set of controlled actions. We can remark that the nets of 
Figure 4 are not equivalent with respect to the set of controlled actions {a, bj. On the 
other hand, the nets PN2 and PN3 are equivalent with respect to the set {c, dj. 

We introduce the notion of failure transition system: an abbreviation of transition 
system with respect to the failure equivalence that integrates the existence of deadlock 
and divergence behaviors local to a state. 
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Definition (failure transition system): A failure transition system is a tuple (S, Z, 
F, So, Control, div,fail) where 

• (S, Z F, So) is a transition system, 

• Control is the controlled action set (Control C"X), 

• div is the divergent state set (div cS), and 

• fail is an application from S to 2*'°"'™^. 

s e div means that the system can loop internally in the state s and D e fail(s) 
indicates that the system can reach internally a state in s where only transitions 
labeled by an element of D are enabled. We have to define an illegal behavior in 
terms of a failure transition system. 

Definition (illegal behavior): Let Z be a tester and/iy^ be a failure transition system. 
Let <7= (qo. So) ag (qi, Sj) aj ... be a finite (i € [0, n]) or infinite (i € /f) behavior of Z 
//fsys. 

1. (Tis a mortal reject behavior iff 3i: qi e Mortal, 

2. (Tis a deadlock reject behavior iff cris finite a q„ e Deadlock a 3D € fail(q„): 
(aeControlrD I (q„, a, q) € Hj = 0, 

3. (Tis a live reject behavior iff fi I q, e Live} is infinite, and 

4. (Tis a divergent reject behavior iff ( (Tis infinite a31o: qm^ Divergent AVi > ig, a-, 

^ Control) v(3 i: q-, € Divergent a s, € div). 

3. Unfolding 

An unfolding of a P/T net is defined as a finite prefix of the complete branching 
process preserving a representation of all reachable markings. In this section, we 
present the usefulness of unfoldings for the detection of illegal behavior. Mortal and 
deadlock rejects are detected in a simple and natural way. Live and divergent rejects 
depend on the characterization of infinite behaviors. We expose the difficulties and 
the pitfalls of this characterization and present a simple technique for detecting these 
behaviors. 

Elementary unfolding properties 

The construction of an unfolding begins from the set of initial conditions and 
continues the enumeration of concurrent condition sets corresponding to the inputs of 
P/T net transitions. When such a new set is detected, a corresponding event is added 
as well as the associated output conditions. 

At each state of the unfolding construction, we obtain a branching process p and a set 
of particular events Cutout for which there are extensions that have not been explored. 
The validity of this construction relies on the way that a process of a net can be 
projected in the unfolding. 

1. The process is contained in the unfolding: the process is isomorphic to a 
configuration of the unfolding containing no cutout. 

2. The process crosses a cutout: the local configuration of a cutout is isomorphic to 
a prefix of the process. 

We call such a couple (ff. Cutout) a stable branching process. 

Definition (stable branching process): Let ffhe. & branching process of a net N and 
Cutout be an event set of ff. The couple ( ff. Cutout) is a stable branching process iff 
for every process TToi N, one of the two following conditions holds: 
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1. JCeConf(/3): Cd Cutout=0 A IT(C) = 7T, 

2. JeeCutout, 3CeConf(^): U([e]) = TT(C). 

A simple rule to stop an extension of a cutout event e is to find a noncutout event cSfe j 
such that the cuts of e and <J)(e) correspond to the same state in N. The final result of 
the unfolding construction is called an unfolding and cutout events are called cutoff 
events. 

Definition (unfolding): An unfolding of a net A is a tuple fyfi Cutoff, <P) such that (p, 
Cutoff) is a stable branching process of N and is a mapping from Cutoff to 
£fy5j\CMfoj^ which fulfils Vee Cutoff: h(Cut([e])) = h(Cut([<P(e)]) 

This simple rule is not adequate to obtain “good unfoldings” even for safe P/T net: 
due to McMillan and presented in [ERV96], a safe P/T net example is proposed for 
which not all reachable markings are represented in its unfolding. Cutoff rules, as in 
[McM92] [Esp93] [ERV96] [KKTT96], are defined to insure this reachability 
property. We consider two rules significant for the detection of illegal behavior: the 
size rule and the inclusion rule. 

Size rule [McM92]: 

1. A cutoff e is associated with an event <P(e) such that [e] and [<P(e)] lead to the 
same marking. 

2. The size of [<Jfe)] is strictly smaller than the size of [e]. 

Inclusion rule [Esp93]: 

1. A cutoff e is associated with an event cSfej such that [e] and [dfe)] lead to the 
same marking. 

2. [ dfe)] is strictly included in [e]. 

These rules induce two kinds of unfoldings: size rule unfoldings, and inclusion rule 
unfoldings. One can note that an inclusion rule unfolding is also a size rule unfolding. 

Definition (size rule unfolding): An unfolding (B, Cutoff, <P) fulfils the size rule iff 
VeeCutoff: \[<P(e)]\ < \[e]\ 

Such an unfolding is called a size rule unfolding. 

Definition (inclusion rule unfolding): An unfolding (ff, Cutoff, <P) fulfils the inclusion 
rule iff 

VeeCutoff: [<P(e)] <^[e] 

Such an unfolding is called a inclusion rule unfolding. 

The unfoldings presented in Eigure 6, 7 and 8 are constructed using indiscriminantly 
the inclusion or the size rules. These rules are adequate to obtain “good unfoldings” : 
reachability and deadlock properties of net N can be directly obtained from its 
unfolding [McM92]. 
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Cp(e4) = <P(e6) = eO <P(e3) = <P(e5) = eO <P(e3) = <P(e5) = eO 

<P(e8) = el <P(e6) = el <P(e4) = el 

Unfoldingl Unfolding! Unfolding! 



Figure 6: Unfoldings ofPNl, PN2 and PN3 

Proposition (reachability property) [McM92]: If (jf. Cutoff, 4>) is a size rule 
unfolding of a net N then 

Vm€Reach(N), JCeConfi^): CnCutoff = 0 a h(Cut(C)) = m. 

The basic idea of the proof is the following: when a process of N crosses a cutoff e, 
the prefix [e] can be replaced hy [(Jfe)] and this substitution leads to the construction 
of a smallest process leading to the same marking. Hence, when the size or inclusion 
rules are used, a minimal process (in the number of events) leading to a given 
marking is necessarily contained in the unfolding. 

Rewriting the reachability property for deadlock markings, we obtain the following 
property. 

Proposition (deadlock property) [McM92]: Let (jf. Cutoff, 4>) be a size rule unfolding 
of a net N. A reachable marking m of N is a deadlock iff JCeMaxConf(^) such that 
h(Cut(C))=m A CnCutoff=0. 

A nice algorithm for the detection of deadlocks has been presented by McMillan in 
[McM92]. This algorithm consists in constructing a configuration containing an event 
in conflict for each cutoff of the unfolding. For each cutoff e, we determine the set 
K(e) of minimal events in conflict with e. Then, we search for a conflict-free event 
set E that contains at least one event from each set K(e). If such a set can be defined, 
then the configuration [E] is eventually extended to a maximal configuration which 
contains no cutoff. 

Mortal and deadlock rejects 

Existence of mortal and deadlock behavior is simply the direct application of the 
reachability property. 

Proposition (mortal rejects): Let (Jj, Cutoff, <P) be a size rule unfolding of a net N. N 
can realize an illegal mortal behavior iff 3b€B(ff) such that h(b)€Mortal(N). 

Proposition (deadlock rejects): Let (ff Cutoff, <P) be a size rule unfolding of a net N. 
N can realize an illegal deadlock behavior iff 3b eB, 3C€MaxConf(j3) such that 
h(b)eDeadlock(N) a beCut(C) a C n Cutoff = 0. 

A good algorithm for the detection of deadlock rejects can be found by adapting 
the deadlock detection algorithm presented by McMillan. For deadlock rejects, we 
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also have to insure that the configuration contains an event in conflict for each event 
in the output of the condition b. For each cutoff e or event e in the output of b, we 
determine the set K(e) of minimal events in conflict with e. Then, we search for a 
conflict-free event set E that contains no event in conflict with b and containing at 
least one event of each set K(e). If such a set can be defined, then the configuration 
[E]ij[b] is eventually extended to an illegal deadlock configuration. 




•JfeSj = e2 ^e6) = e2 

Unfolding’ 1 Unfolding’2 

Figure 7: Analysis ofPNl and PN2 




Figure 8: Analysis ofPN3 

To detect the deadlock reject of the unfolding 1 (Figure 6), we construct for each 
cutoff the set of events in conflict with it; K(e4)=je2,e3j, K(e6)=fel}, K(e8)={el,e7j. 
From them, we deduce the set (el,e3j. The configuration [el,e3] leads eventually to 
the deadlock marking (A’, C). For the unfolding 2 (Figure 6), we have K(e3)=fe2j, 
K(e5)=K(e6)=(el j. As el and e2 are in conflict, the net is deadlock-free. For the 
unfolding 3 (Figure 6), the result is immediate: K(e3)=K(e4)=K(e5)=0. The 
branching processes unfolding’ 1, unfolding’2 and unfolding ’3 of Figures 7 and 8 are 
obtained from the synchronization of the P/T nets of Figure 4 with the tester 2 of 
Figure 3. From these unfoldings, we can deduce a mortal reject for the net PN3: the 
corresponding unfolding contains a condition labeled U. 
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Live and divergent rejects 

The detection of live and divergent rejects relates to the problem of the 
characterization of infinite behaviors. This problem is difficult: in [Wal98] the author 
and the referees have been fooled by the apparent simplicity of the problem. In this 
work, two graphs for which nodes are cutoffs and their images have an important 
function for the detection of infinite behaviors: 

1. Upper-concurrent graph: the cutoffs have as successor their images with respect 
to <P and the images have as successor the cutoffs which are upper to or 
concurrent with them. 

2. Upper graph: the cutoffs have as successor their images and the images have as 
successor the cutoffs which are upper to them. 




Figure 9: Erroneous detection of infinite behavior in the upper-concurrent graph 

Reducing an infinite process by the cutoffs it crosses, we construct an infinite path in 
the upper-concurrent graph. An infinite path in the upper graph induces an infinite 
behavior passing through the marking associated to the local configuration of the 
cutoffs explored by the path. Contrary to the allegations presented in [Wal98], any of 
these graphs allows the characterization of infinite behaviors in a definitive way. The 
upper-concurrent graph can induce some non-existent infinite behaviors of the P/T net 
(see counter example in Figure 9); the upper graph does not necessarily detect the 
infinite behaviors (Figure 10). These graphs must be used only as necessary (upper- 
concurrent graph) or sufficient (upper-graph) conditions for the existence of illegal 
live or divergent behaviors. 




Figure 10: Non detection of infinite behavior in the upper graph 



When the inclusion rules are used for the unfolding construction, infinite processes 
looping on a similar event can be reduced using only one cutoff. Then, the detection 
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of live and divergent rejects is limited to infinite processes that can be reduced to a 
single cutoff. 

Proposition (cycle property)-. Let fyfi Cutoff, <P) be an inclusion rule unfolding of a 
net N. N has an infinite behavior iff Cutoff is not empty. 

Proof 

1) If the event set Cutoff is not empty, let e be an event in Cutoff. The infinite 
process IJ([ <P(e)]). IT([e]\[ <P(e)]) ... IT([e]\[ <P(e)]) ... induces an infinite behavior 
ofiV. 

2) If N has an infinite behavior, we can build a process as big as we want and there 
then exists a process which contains more events than the unfolding. Because 
the unfolding is a stable branching process, this process must cross a cutoff. It 
proves that event set Cutoff is not empty. 

As the presence of a cutoff denotes a cycle, a place of live reject represented in an 
unfolding between a cutoff and its image denotes an illegal live behavior. We 
demonstrate that this condition is necessary in the case of inclusion rule unfoldings. 

Proposition (live property): Let (ff Cutoff, <P) be an inclusion rule unfolding of a net 
N. N can produce an illegal live behavior iff 3e€ Cutoff, 3b€*([e] \ [4>(e)])\ h(b)€ 
Live(N). 

Proof 

1) If 3b€B(!3), 3ee Cutoff such that h(b)€Live(N) a b€»([e] \ [<f(e)]). The infinite 
process IT([<P(e)]) . IT([e]\[‘l^e)]) ... n([e]\[<P(e)] ) ... induces an illegal live 
behavior of N. 

2) UN can produce an illegal live behavior, there exists processes which contain 
more live conditions than the unfolding. Let tr be one of these processes 
containing a minimal number of events. Suppose now that 

Ve€Cutoff, Vbe*([e]\[cf>(e)]): h(b)^Live(N) (1) 

Because the unfolding is a stable branching process, this process must cross a 
cutoff e\ n= n([ <P(e)]) . n([e]\[‘l’(e)]) . tf, where 7f is the suffix of 7t. The new 
process IT([ <J>(e)]) . contains as many live conditions as Ttuuh fewer events. It 
proves that the hypothesis (1) is false and that 
JeeCutoff, 3b€»([e]\[<P(e)]): h(b)€Live(N). 

The characterization of divergent rejects is a more difficult task. We demonstrate that 
the presence of particular cutoffs is a necessary and sufficient condition in the case of 
safe P/T nets. The generalization to bounded nets of this property is still a conjecture. 

Proposition (divergent property): Let (ff Cutoff, <P) be an inclusion rule unfolding of 
a safe net A, A can produce an illegal divergent behavior iff 3b€B(ff), Be € Cutoff such 
that h(b)eDivergent(N) Ab//([e] \ [ <f(e)]). 

Proof 

1) Assume BbeB(l3), Bee Cutoff such that h(b)eDivergent(N) a b // ([e] \ [<P(e)]. 

The infinite process ■ n([e]\[<P(e)]) ... IT([e]\[<P(e)]) ... induces an 

illegal divergent behavior of A. 

2) Assume A can produce an illegal divergent behavior, there exists an infinite 
divergent process tr. 3teB(7t): h(b)eDivergent(N) a b»=0. Let nhc one of these 
processes containing a minimal number of events before b (\[b]\ is minimal). 
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Because the unfolding is a stable branching process, this process must cross a 
cutoff event e\ n = IJ([<P(e)]) . U([e]\[<P(e)]) . 7f (where 7f is the suffix of 7t). 
The new process Ttr = IJ([<P(e)]) . 7f is still a divergent process {b»=0m ttwA 
then b»=0m TZy). We just have to prove that if [b]ri ([e] \ [ 4>(e)])^0 then \[b]\ 
in Ttr is less than \[b]\ in 7t. Indeed if [b]n ([e] \ [ <P(e)])=0 then b and e are the 
desired condition and event, else Ttis not minimal. 

Let prove that 

h({b’€Cut([e]): b’^j) ch({b’ €Cut([<I>(e)]): b’^j) (1) 

Let us decompose Cut([ <P(e)]): 

Cut([<P(e)])= ml ijml’ with ml ^ and ml V/b. (2) 

We can note that ml = (b’ eCut([<J>(e)]): b’^} and ml ’ = Cut([ <P(e)])\ml. 

Let m = Cut([0(e)]L4[e]n[b])). We can note that [<P(e)] ij,[e]n[b]) is a 
configuration because [ <I>(e)]c[e] and so the new events added to [<J>(e)] cannot 
be in conflict, m can be obtained from Cut( [<J>(e)]) by firing the events of 
([e]\[<P(e])ri[b]. Because m’//b then ml ’em. So m can be decomposed into 
m = m2 um2’ um’l with m2^ and m2’^. (3) 

Let us decompose Cut([e])\ 

Cut([e])= m3 um3’ with m3^ and m3’//b. (4) 

We can note that m3 = (b’eCut([e]): b’^j and m3’ = Cut([e])\m. Because 
Cut([e]) can be obtained from m by firing the events of ([e]\[<P(e])r)[b], we 
deduce that 

m2 = m3. (5) 

Using the cutoff property (h(Cut([ <P(e)])=h(Cut([e])), we have 

h(m3) ch(ml) uh(ml’). (6) 

Applying the fact that the net is safe to the marking m in (3), we have 

h(m2) D h(ml’) = 0. (7) 

Using the equality m2=m3 (5) and formulas (6) and (7), we induce that 
h(m3) eh(ml ) 
which is exactly formula (1). 

The formula (1) proved in the first step implies that the events of [b] in process 7!;. 
come from events of [bI\[Cut([e]) or [b]\Cut([<P(e)] in process 7T. This proves 
that \[b]\ in process TT,- is less than \[b]\ in process 7T. Moreover if [b]n 
([eM^e)])^^, they have different sizes. 

The unfolding of PN3 (Figure 4) synchronized with the tester 3 (Figure 3) is the 
branching process unfolding” 3 (Figure 8.) In this unfolding, a divergent reject is 
detected: the events {e2,e5j are before the cutoff eS and after its image eO, and are 
concurrent to the divergent condition T. 

4. Unfolding Graph 

In this section, we introduce unfolding graphs and present their usefulness for the 
detection of illegal behaviors. Moreover, we show how to construct failure transition 
systems that are failure equivalent to a labeled P/T. 

Elementary unfolding graph properties 

The construction of an unfolding graph begins by unfolding the net N. At each 
state, we obtain a stable branching process (p. Cutout). A simple rule to stop an 
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extension of cutout e is to use the size rule, another rule is to decide to build a new 
branching process from state Cut([e]). Such a last cutout is called a bridge. By 
iterating this construction, we obtain a graph of stable branching processes. Each node 
is called a partial size rule unfolding and the resulting graph an unfolding graph. 

Definition (partial size rule unfolding)'. A partial size rule unfolding of a net A is a 
tuple fyfi Bridge, Cutoff, <P) such that (p, B ridge uCutojf) is a stable branching 
process of N and <Ph a mapping from Cutoff to E(/3)\(BridgeuCutoff) which fulfils 
Vee Cutoff: h(Cut([e])) = h(Cut([ <Ife)]) a \[<P(e)]\ < \[e]\. 

Definition (unfolding graph)'. An unfolding graph of a net A is a graph (G,A, 
where 

• Vg€G: g is a partial size rule unfolding of net (N, Min(g)) (N with a new initial 
marking Min(g)) where Min(g)€Reach(N), 

• Vg€G, VeeBridge(g),3!g’eG: (g, e, g’)eA a h(g)(Cut([e])) = h(g’)(Min(g’)), 

• h(ginit)(Min(gi„i,)) = nio, and 

• Vg € G, there exists a path in ( G,A, J from g,„;, to g. 

Unfolding graphs have the same good properties as the size rule unfolding: every 
reachable marking of a net A is represented in its unfolding graph. This property is 
based on the fact that each process from the initial marking of the net is represented in 
the graph. We start by reducing the process from the initial node of the graph. When a 
process crosses a cutoff e, the prefix [e] can be replaced by /"cSfe as for unfoldings. 
When a process crosses a bridge e, the prefix [e] is deleted from the process. The 
search must be continued in the successor node corresponding to the crossed bridge. It 
is clear that in this last case, the transformed searched process has a initial marking 
equal to the cut associated to the crossed bridge (see [Poi96]). 

Proposition (reachability property): Let (G,A, gi„iJ be an unfolding graph of a net A. 
m is a reachable marking of A iff 
3geG, 3CeConf(g): 

Cn( Bridge( g ) uCutoff( g))=0 a h(g)(Cut(C))= m. 

Rewriting the reachability property for deadlock markings, we obtain the following 
property. 

Proposition (deadlock property): Let (G,A, gi„i,) be an unfolding graph of a net A. A 
reachable marking m of A is a deadlock iff 

3geG, 3CeMaxConf(g): h(g)(Cut(C))=m a C D (Bridge uCutoff)= 0. 

The efficient algorithm [McM92] for the detection of deadlocks is still applicable for 
unfolding graphs: it suffices to apply it to each node. 

Mortal and deadlock rejects 

Existence of mortal and deadlock behavior is simply the direct application of the 
reachability property. 

Proposition (mortal rejects): Let (G,A, gi„i,) be an unfolding graph of a net A. A can 
produce an illegal mortal behavior deadlock iff 
3geG, 3beB(g): h(g)(b)eMortal(N). 

Proposition (deadlock rejects): Let (G,A, gi„i,) be an unfolding graph of a net A. A 
can produce an illegal deadlock behavior iff 
3geG, 3b €B, 3C€MaxConf(g): 
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h(g)(b)€Deadlock(N) a beCut(C) a C D (Bridge uCutoff)= 0. 

For detecting deadlock reject behaviors, we can apply our adaptation of the McMillan 
algorithm to each node of the unfolding graph. 

Live and divergent rejeets 

To hope to detect infinite behaviors of the net, we need to put more constraints on 
the cutoff rule. Indeed, in the unfolding study, we have proved that the size rule is not 
a good rule for infinite behavior detection (see counter examples). When the inclusion 
rule is used for the unfolding construction for some node, the detection of infinite live 
and divergent reject is limited to the structural properties of the unfolding graph. 
When the inclusion rule is used to construct an unfolding, the node is a partial 
inclusion rule unfolding. 

Definition (partial inclusion rule unfolding): A partial size rule unfolding (ff. Bridge, 
Cutoff, d>) fulfils the inclusion rule iff 
VeeCutoff: [dfe)] cfe]. 

Such a unfolding is called a partial inclusion rule unfolding. 

The detection of live reject behaviors is obvious. Such a behavior can he detected 
locally to a node (like in the unfolding) or globally as a particular cycle in the 
unfolding graph. 

Proposition (live property): Let (G,A, gi„i,) be an unfolding graph of a net N such that 
for every g in G: 

(3beB(g): h(g)(b)eLive(N)) is a partial inclusion unfolding. 

N can realize an illegal live behavior iff 

3gsG, 3es Cutoff(g), 3bG'([e]\[4>(e)]): h(b)e Live(N) (1) 

or 

3a cycle (gt, e,-, gi+,)i^io,n-u in (G,A, g^,): h('[eo])nLive(N))zi0 (2) 

Proof 

1. If (1) then n=IT([<f(e)]). UdeM^e)]). U([e]\[<P(e)]) ... induces an illegal live 
behavior from accessible marking h(Min(g)) (notice that g is a partial inclusion 
unfolding). 

If (2) then IT=IT([eo]) IT([ej]) ... IT([e„.i]) ... IT) [eg]) IT([ei]) ... IT([e„.j]) induces 
an illegal live behavior from accessible marking h(Min(go)). 

2. Consider a process IT. If not (1), by cutoff reductions of 77 the number of live 
events does not change. If not (2), a bridge reduction that can change the number 
of live events cannot be used twice for the reduction of process 77 So if not (1) 
and not (2), process 77 has a limited number of live events (at most the sum of 
live events of the unfoldings of the graph +1). 

The detection of divergent reject behaviors in unfolding graphs is a difficult task even 
for safe nets. Since such a behavior can be projected in a cycle of the graph, we have 
to restrain the possible projections. 

Proposition (divergent property): Let (G,A, gi„iJ be an unfolding graph of a net N 
such that for every g in G: 

(3bsB(g)\Bridge(g)": h(g)(b)sDivergent(N)) ^ g is a partial inclusion 
unfolding A I {beB(g)\Bridge(g)" \ h(g)(b)eTester(N)} I =7. 

N can realize an illegal divergent behavior iff 
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3g€G, 3b€B(g), 3e€ Cutojf(g): h(g)(b)€Divergent(N) (1) 

V 

Ja cycle (gi, e,-, gi+i)is[o.n-i] in (GA, gink): 

3b€B(go): h(b)eDivergent(N) a 

Vi€[0,n-1], h(‘[ej )nDivergent(N)=0 (2) 

Proof 

1. If (1) then n=n([cp(e)]). n([eN<I>(e)]). n([e]\l4>(e)]) ... induces an illegal 
divergent behavior from accessible marking h(Min(g)) (notice that g is a partial 
inclusion unfolding). 

If (2) then IT=IT([eo]) nUeJ) ... IT([e„.i]) ... IT([eo]) IT([ei]) ... IT([e„.i]) induces 
an illegal divergent behavior from accessible marking h(Min(go)). 

2. Consider an infinite divergent process U: 3beE(P): b»=0 a h(b)eDivergent(N). 
By cutoff and bridge reduction, process IT stays an infinite divergent process. 
Write 77 as IT([b]). IT and reduce 17([b]) ; we obtain a new divergent process 
ITi. IT such that FFi is in an unfolding gj. The divergent condition b in ITj 
corresponds to the unique divergent condition in g; (which is not after a bridge). 
If we can reduce 77/. 77 by a cutoff, gj fulfils (1). Otherwise we reduce it by a 
bridge and obtain a new process 77). IT 2 ’ such that 7^ is in an unfolding g 2 . Once 
again, the divergent condition b in TT 2 corresponds to the unique divergent 
condition in g 2 (which is not after a bridge). We stop this reduction process when 
the process 77). ITi’ crosses a cutoff (g, fulfils (1)) or when by bridge reduction we 
go back to an unfolding already visited (cycle in the unfolding graph which 
fulfils (2)). 

Failure equivalent graph 

When building an unfolding graph of a labeled P7T net by imposing that the 
controlled actions are associated only to bridge, we capture almost all the interesting 
behaviors of a net. To study local divergent behaviors, we use the inclusion rule for 
unfolding. We will see that such a graph induces a failure transition system that is 
failure equivalent to the net. 

Definition (strict unfolding graph): A strict unfolding graph with respect to a 
transition set Control of a labeled net N is an unfolding graph ( G,A, gmu) such that for 
every g in G: 

• g is a partial inclusion rule unfolding, and 

• VesE(g)\Bridge(g): h(e)^Control. 

The strict unfolding graph gives an abstraction of the behavior of the net with regard 
to the set of controlled actions. To obtain a failure transition system, we have to take 
into account firstly the infinite behaviors hidden in nodes and secondly potentially 
blocking behaviors. An infinite behavior local to a node is simply detected by the 
presence of a cutoff. Blocking behaviors correspond to deadlocks in an unfolding for 
which the firings of a subset of controlled transitions are not allowed. Formally, a 
failure transition system is defined as following. 

Definition (failure transition system): Let (G,A, gi„i,) be a strict unfolding graph of a 
labeled net N = (P, T, E, W, mg) with respect to a controlled action set Control. Its 
failure transition system i&fsys = (G, E F, gg, Control, div,fail) where 
• (g, a, g’) e F <^3(g, e, g’) sA: h(g)(e) = a, 
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• div = {g€G\ Cutojfig) ^0], 

• V g €G, fail(g) = ID c Control I 3C € MaxConf(go) a C n (Cutojfigo) U 
Bridge(gD)) = 0j. 

where go is the unfolding g for which the event labeled by an element of D are 
removed. 

The failure transition system constructed in the definition is failure equivalent to the 
net. 

Proposition (failure equivalence)'. Let (G,A, be a strict unfolding graph of a 
labeled net N with respect to a controlled action set Control. Its failure transition 
system is failure equivalent to N with respect to Control. 



a 




Figure 111 Strict unfolding graph and its failure transition system 

The formal proof of this proposition is simple but to long to be shown in this paper. 
The idea is the following: when synchronizing a tester Z and a failure transition 
system /iys, we almost obtain an unfolding graph. We have simply to replace each 
node (q, g) of the synchronized system Z // fsys by the unfolding g for which we 
properly add the place q. For this unfolding graph, each node is a partial inclusion rule 
unfolding and contains one place of the tester. One can remark that for each type of 
illegal behavior detection the characterization previously presented for the unfolding 
graph is the same as for the failure transition system synchronized with the tester. 
Figure 11 presents the strict unfolding graph of the net PN3 (Figure 4) and its failure 
transition system which is failure equivalent to PN3. 

5. Experimentation 

In this section, unfolding graphs are tested on two classical examples: a 
specification of a distributed database [Jens86] and the Peterson’s algorithm of mutual 
exclusion for n processes [CP94]. Both examples are scalable, in a such way that the 
number of reachable states is exponential with respect to a given parameter. 

The obtained results are presented in Tables 1 and 2. In the first table we give for 
each model: the size of the model; the size of its reachability graph; the size of its 
reduced reachability graph obtained by the stubborn set method [Val91] and the 
corresponding cpu time; as well as the inclusion rule and size rule unfoldings. The 
sizes of the unfoldings are denoted by the sum of the numbers of events and 
conditions. Notice that complete graphs and reduced graphs can be used for the 
detection of illegal behaviors [Val93]. In the second table, variants of bridge event 
selection for strict unfolding graphs are tested. Remember that in strict unfolding 
graphs, the controlled actions can only be associated to bridges. The first tested 
implementation consists in associating to bridges only controlled actions (strict 
unfolding graph without heuristic). To limit the size of the unfoldings that compose 
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nodes, other implementations based on three different heuristics have been tested 
(strict unfolding graph with heuristic). Indeed, any event can be chosen as a bridge 
during the construction without invalidating the construction. For the distributed 
database, a first heuristic has been used: we impose that in each unfolding there are 
not two conditions associated to a same place. This heuristic drastically limits the size 
of the constructed unfoldings. Moreover, it is clear that such an unfolding can not 
have a cutoff event. For the Peterson’s algorithm example with two and three 
processes, the chosen heuristic imposes that the size of the unfoldings is less that the 
double of the size of the net. Finally, arbitrary transitions have been designated to be 
systematically associated with a bridge in Peterson’s algorithm with four processes. 
These different heuristics are used to demonstrate the flexibility of the method. 



Model 


Model size 


Complete graph 


Red. graph 


Unfolding | 


IPI 1 ITI 


IRI 


IRI 


time 


Inc. rule 


Size rule | 








IBI+IEI 


time 


IBI+IEI 


time 


BD2 


15 


8 


7 


7 


0.08 


30 


0.01 


30 


0.01 


BD4 


61 


32 


109 


29 


0.16 


133 


0.03 


133 


0.01 


BD6 


139 


72 


1459 


67 


0.25 


307 


0.11 


307 


0.11 


BD8 


249 


128 


17497 


121 


0.44 


553 


0.36 


553 


0.36 


Peter2 


18 


18 


50 


32 


0.11 


199 


0.05 


88 


0.01 


Peter3 


45 


57 


1065 


645 


0.88 


* 


* 


4791 


37.2 


Peter4 


84 


132 


25636 


15600 


42.31 


* 


* 


* 


* 



Table 1: Experimentation results (part 1 ) 

The controlled actions chosen for the distributed database are Write( 1 ) and Unlock( 1 ). 
This observation allows us to verify that the process 1 necessarily receives the 
acknowledgment of the others when it asks them to update their local copies. For 
Peterson’s algorithm, the controlled actions are Ask(l), Enter(l) and Leave(l). This 
observation allows us to verify the fairness property which expresses that when the 
first process asks for an access to the critical section, it eventually obtains it. The two 
cutoff rules (inclusion and size) are tested in both cases. For each kind of graph, it is 
given: the size of the graph; the average size of the unfoldings composing the nodes, 
and the time needed to construct it. 



Model 


Strict graph without heuristic 


Strict graph with heuristic 


Inc. Rule 


Size rule 


Inc. rule 


Size rule 


IGI 


Av. 


time 


IGI 


Av. 


time 


IGI 


Av. 


time 


IGI 


Av. 


time 


BD2 


2 


17 


0.00 


2 


17 


0.00 


3 


13 


0.01 


3 


13 


0.01 


BD4 


2 


74 


0.03 


2 


74 


0.03 


15 


36 


0.08 


15 


36 


0.08 


BD6 


2 


171 


0.11 


2 


171 


0.11 


45 


67 


0.55 


45 


67 


0.55 


BD8 


2 


308 


0.33 


2 


308 


0.33 


119 


103 


3.13 


119 


103 


3.13 


Peter2 


7 


39 


0.04 


7 


35 


0.04 


17 


18 


0.03 


8 


31 


0.03 


Peter3 


* 


* 


* 


28 


994 


182.2 


161 


48 


1.93 


161 


48 


2.00 


Peter4 


* 


* 


* 


* 


* 


* 


1865 


65 


118.9 


1865 


64 


108.6 



Table 1: Experimentation results (parti) 

The tool used for the computation of complete and reduced graphs is Prod [VR92]. 
For the unfoldings and the equivalent unfolding graphs, we have used our own tool. 
Note that the unfolder included in Pep [Best96] is more efficient for size rule 
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unfoldings and that using it for the computation of unfolding graph can improve the 
time results. 

The distributed database model presents a high rate of concurrency and the 
methods of persistent sets and unfolding take advantage of this. The strict unfolding 
graph method without heuristic have the same performance in terms of time but 
graphs have a constant size. The heuristic chosen for the second implementation leads 
to exponential graph size. We show here that the disadvantages of the first version of 
unfolding graphs presented in [CP96] have been corrected. 

The Peterson’s algorithm is highly synchronized and the reduction rate obtained 
by the persistent set method is then minimized (less than two). For the unfolding 
technique, one can notice that the size of the resulting net becomes large. The more 
the size of the unfolding net grows during the construction, the more the cost of 
adding a new event increases. Indeed, this cost depends on the size of the unfolding 
and the rate of association of conditions to a same place. Using the size cutoff rule, 
some better results can be obtained but the verification is then limited to the detection 
of mortal or deadlock rejects. The same phenomena can be remarked for the strict 
unfolding graph constructed without heuristic. But the flexibility of the algorithm 
allows us to find heuristics for which a graph can be efficiently constructed even for 
the inclusion cutoff rule. 

6. Concluding Remarks 

For the detection of illegal behaviors, we have presented two techniques: 
unfoldings and unfolding graphs. It seems a priori that unfolding is well-suited to the 
detection of mortal and deadlock rejects while unfolding graphs is well-suited to the 
detection of live and divergent rejects. However, our experiments show that the 
flexibility of unfolding graph algorithm allows us to postpone the limits of the 
unfolding method. Moreover, two major qualities of the unfolding graph method are 
that it allows one to compute failure equivalent graphs and that the construction and 
the analysis of a net synchronized with a tester can be done on-the-fly. 
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Abstract. Transformations on a system specification are often used as a means 
for simplifying the process of verification. When applying a transformation, it is 
an important issue whether some specific properties of the system will be 
preserved or not. For systems specified in colored Petri nets, this paper provides 
the criteria for determining the preservation of place-invariants and transition- 
invariants under five classes of very general transformations, namely. Insertion, 
Elimination, Replacement, Composition, and Decomposition. Applications to 
flexible manufacturing engineering systems and telecommunications systems 
are discussed. 



1 Introduction 

For systems specified in Petri nets, transformations are often used to modify their 
structures or to simplify the processes of specification, verification and analysis. For 
both purposes, an important issue is whether some specific properties of the system 
will be preserved (in certain sense) under the transformation. For basic Petri nets, this 
issue has been studied extensively [2,8,20]. Recently, two detailed reviews covering 
many classes of specific and general transformations for preserving such properties as 
liveness, boundedness, invariants, etc. have been given by Cheung, et al. [7,8]. 

In the last decade, basic Petri nets have been extended to colored Petri nets (CP-nets) 
in response to the rapid expansion of system application and complexity in a multi- 
user or multi-media computing environment. In particular, CP-nets have been 
extensively applied for specification and verification in such areas as network 
protocols, ISDN services [16], manufacturing engineering, etc. However, because of 
the lack of a theoretical foundation and computational processes, the approach of 
applying property-preserving transformations on CP-nets for system synthesis and 
analysis has not been progressing as rapidly as desired. At present, as summarised 
below, only a very limited amount of work has been reported in the literature. 
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A. Transformations Preserving Liveness, Boundedness, etc. 

Berthelot’s [2] proposed reductions for basic Place/transition nets which preserve 
liveness, safeness, boundedness, etc. Haddad [12] extended them to CP-nets. 
However, it is difficult to apply the latter’s methods as they are based on the 
complicated process of unfolding the CP-net. Benalycherif et al. [1] investigated the 
synchronization of colored FIFO nets and showed that, when two such nets are 
composed by merging their transitions and adjacent places, liveness can be preserved 
under a condition relying on a non-constraining relation between them. Lakos [19] 
studied the conditions under which an abstraction of CP-nets will preserve such 
properties as adjacency relationships, color consistency, marking-respecting, step- 
respecting, place flow, etc. 

B. Transformations Preserving Invariants of CP-nets 

By extending the Gaussian elimination rules for solving a linear system of equations, 
Jensen [13] presented four types of transformations that simplify the incidence matrix 
of a CP-net but preserve its P-invariants or T-invariants. Narahari et al. [23] showed 
that the invariants of the 'union' of two CP-nets can be composed from those of the 
component nets. Christensen et al. [10] studied the invariant-preserving problem of 
modular CP-nets composed by fusing the places and transitions of several modules. 
Described above are the only two kinds of invariant-preserving transformations we 
are aware of. Note that they are not general but are either a Gaussian elimination or a 
composition of the union type. They cannot be used for detecting invariant 
preservation under transformations arising from more general and diversified 
applications. 

This paper provides the criteria for preserving the invariants of CP-nets under five 
classes of general transformations, namely. Insertion, Elimination, Replacement, 
Composition and Decomposition. The computational processes derived do not require 
knowledge about the semantics of the transformations or structures of the Petri nets. 
They are a nontrivial generalisation of similar results for basic Petri nets [8]. The rest 
of this paper is organised as follows. Section 2 reviews the basic concepts of CP-nets. 
Sections 3 to 5 describe the five classes of general transformations on CP-nets and the 
criteria for them to preserve invariants. In Section 6, to conclude this paper and point 
out some directions for research, we briefly describe the potential application of our 
results to several areas of problems, mentioning our current work on manufacturing 
engineering systems [9] and telecommunication systems [7,21] as examples. 



2 Colored Petri Nets and Their Invariants 

Readers are assumed having basic knowledge of CP-nets. This section first presents 
the required definitions and notations. Some explanation for beginners is given at the 
end. More details and examples can be found in [13,14,16]. 

Notation 

1. For a variable or expression x, Type(x) denotes the type of x. 

2. For an expression Exp, Var(Exp) denotes the set of free variables in Exp. 

3. The inner product of two vectors a and /? is written as a* f. 

4. 0 denotes a zero-function. 

5. For two sets Si and & where Si = 0, Si u & is denoted as Si + Si. 
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Definition 1 (Multi-set, Multi-set Extension of a Function). A multiset over a 
finite set 5 is a function m: S S (set of non-negative integers). It can be expressed in 

the form T,s^sin(s)‘s, where m(s)‘ indicates that element s occurs m(s) times in the 
multi-set. Sms denotes the set of all multi-sets over S. For two finite sets S and R and a 
function F: S sRms, the multiset extension of F is a function F : Sms R MS such 

that Vm e Sms^ F(m) =J]m(s)-F(s)- 

S€S 

Definition 2 (Generalized Matrix-Multiplication). Let Q, Y and Z be three non- 
empty sets, E be an m xn matrix whose element Fy.- Qms Yms is a linear function, 
FI be an m-vector whose rth element //,-.■ Yms Y,ms is also a linear function, and V 
be an n-vector whose jth element is Vj e Qms- The result of the generalized matrix- 
multiplication // * F is an n-vector S whose jth element is a function Sf. Qms Zms 

m 

such that Va e Qms-> S fa) = \F^(a ) ) > whereas F * V is an m-vector W whose 

1=1 

n 

ith element is a function W,: Qms —>■ Yms such that Va e IF. = ^ F,. (F . 

1=1 

Definition 3 (Colored Petri Net). A Colored Petri net (CP-net) is a 6-tuple N = <P, 
F, A, C, E, G>, where; 

a. P and T are two disjoint sets of nodes called places and transitions, 
respectively. A place is often drawn as a circle and a transition as a rectangle. 

b. A is a set of directed arcs connecting a place and a transition. An arc is 
denoted as (p,t) or (t,p) with p e P and t e T. 

c. C is a color function on P. That is, Vp g P, C(p) is a set of token-colors. 

j E: A sExps is an arc expression function. Exps is a set of expressions. Va g 
A, Type(E(a)) is C(p(a))Ms, where p(a) is the source or destination place of a. 
e. G: T sPrs is a guard function, where Prs is a set of first order formulas. (A 
guard function always evaluated to true may be omitted.) 

Hereafter, all relevant notations are referred to a CP-net A = <P, T, A, C, E, G>. 

Notation 

a. For x G Tkj P,A(x) denotes all the arcs in A that are adjacent to x. 

b. For t G T, Var(t) denotes the set of variables either in the guard of t or in the 
expression of any arc adjacent to t, i.e., Var(t) = { v | v e Var(G(t)) v 3 a e 
A(t)-.v G Var{E{a)) }. 

Definition 4 (Binding). A binding b for an expression Exp, in notation Exp(b), is an 
assignment of values (i.e., tokens of certain colors) to Var(Exp) for the evaluation of 
Exp. A binding for a transition t g F is a binding of G(t) and every expression 
associated with an arc in A(t). The set of all bindings for t is denoted as B(t). 

Definition 5 (Incidence Matrix). The incidence matrix / of A is a |Flx|FI matrix 
whose element 4 is a multi-set extension of function /y(6) = E(tj,pi)(b) - E(pi,tj)(b), 
where tj g F, /?, e P and b g Bitf. 

Definition 6 (Weight-Function, Support). A place weight-function Wp is a function 
on P such that Vp e F, Wpfp) is a mapping from C(p)us to Xus, where A is a non- 
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empty set. The support of Wp is [p g P \ Wp(p) ^ 0}. Wp is often written as a IF*I- 
vector with Wp(pi) as its ith element. A transition weight-function VPr is a function on 
T such that Vt g T, Wft) g B(t)Ms- The support of Wp is { t g T \ Wft) # 0}. Wp is 
often written as a I Tl -vector with Wp(ti) as its ith element. 

Notation. A place/transition weight-function WfAVr with support 
[PmpPmp-- ’Pm, ) ! mp^ mp- ■ ■ ’L,) ^6 denoted as: 

( R, R, - R, ^ / r 4, 4, - 4, 

[WpJ WfRpJ - Wr,))! \Wp(t„J WftJ ... WftJ 

Definition 7 (Invariant). Let / be the incidence matrix. A place weight-function Wp 
is said to be a place-invariant (P-invariant) iff Wp * I = 0. A transition weight- 
function Wp is said to be a transition-invariant (T-invariant) iff I * Wp = 0. 

Definition 8 (Weighted Net Flow). Let / be the incidence matrix, Wp be a place 
weight-function and Wp be a transition weight-function. For /?, g P,T <^T,tj gT and 
P’ c P, the Wp-weighted net flow of p, with respect to 7” is defined as 
NF{p-,T', J^) Wp-weighted net flow of t with respect to P’ 

is defined as ]\f]7p p’ fffj = '^ ^p(Pk) °P ■ ’ ° is a functional composition. 

Pk^' 



The above concepts and definitions for CP-nets are all generalizations from basic 
Petri nets where only one kind of tokens is involved. A CP-net deals with many kinds 
(called token-colors or just colors) of tokens. Each of its places, transitions and arcs 
may accommodate only specific subsets of the colors and number of tokens of each 
color. Note that, in general, a designer may use his/her own interpretations of these 
concepts during application. For example, the color function C(p) in Definition 3 
imposes a restriction on the colors and the maximum number of tokens of each color 
allowed to be deposited into place p. Then, if in Definiton 1 we let 5 be P (i.e., the set 
of places) and R be the set of colors, we have C: P Rms- Also, the arc expression 
function E(a) in Definition 3 states the multi-set of colors either required from p in 
order to fire t (in case a = (p,t)) or to be deposited into p after firing t (in case a = 
(t,p)). In either case, it is a multi-set extension of the form: E: C(p(a))Ms • Rms- 
(Compare Definitions 1 and 2.) Furthermore, at different times, tokens of different 
subsets of colors may be required in order to fire a transition. Hence, variables within 
scopes are often used to express such variations and limitation. They are bound when 
all their variables ‘pick up’ the actual tokens at run time. Lastly, the place/transition 
weight-function is a generalization of the marking/firing vector of basic Petri nets, 
where a support includes the non-zero elements. 

3 Insertion T-IN and Elimination T-EL 

T-IN/T-EL adds/deletes a set of places, transitions and arcs to/from a CP-net. 

Example. Fig. 1 shows an insertion T-IN, where Na is transformed into N'a by 
inserting the set of places IP = {pp, p,, p^], the set of transitions IT = {tf) and the set 
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of arcsM = {(psJd, (P4J4), (t4,p4), (t4,ps), (P5J3), (peyts)} between (/JjTj) and tj. A 

color function IC assigns a color set to each of the inserted places in IP, e.g., IC(p 4 ) = 
D, IC(ps) = IC(pe) = D X D. A guard function IG assigns a guard expression to each 
of the inserted transitions in IT, e.g., IG(t 4 ) = true. An arc expression function IE 
assigns an expression to each of the inserted arcs in lA, e.g., IE(p 3 ,t 4 ) = 3‘(x,y), 
IE(p4,t4) = z, IE(t4,ps)= z, IE(t4,ps) = 3‘(x,z), IE(t4,p6) = 3‘(z,y), IE(p5,ts) = (x,z) and 
lEip^i) = (z,y). 



Inserted Part 





Fig. 1. Insertion T-IN transfoms Na to N’a by inserting the subnet 
within the dashed square between arc (p 3 ,tj) and fj of N. 



We divide P/T of Na into two disjoint sets: AP/AT (i.e., the set of affected 
places/transitions connected to at least one inserted arc) and UPlUT (i.e., the set of 
unaffected places/transitions not connected to any inserted arcs). In Fig. \,AP = {ps}, 
UP = {pi,p 2 },AT = {ts} and UT = {1*4}- AA (i.e., the set of affected arcs between a 
place vtiAP and a transition in AT) is {{ps,^)} and is removed in the transformation. 
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Incidence matrix of Na Incidence matrix of A) 

UP/UT, AP/AT, IP/IT: unaffected, affected, inserted places/transitions 



Fig. 2. Incidence matrix representation of the transformation in Figure 1 . 



Formal Description of Insertion T-IN 

Insertion T-IN transforms a CP-net N = <P, T, A, C, E, G> to another CP-net N’ = 
<P\ T\ A\ C\ E\ G’> by inserting a set of places IP, a set of transitions IT and a set 
of arcs lA. Associated with T-IN are a color function IC defined on IP, an arc- 
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expression function IE: lA Exps and a guard function IG: IT Prs for assigning 
functions or expressions to the inserted places IP, transitions IT and arcs lA. 

N and N’ are related in the following way: 

a. P' =P + IP, r = T + IT and A' = A + lA -AA, where 

AA = { {p, t)\p & AP A p gAT } + {{t, p)\p g AP Ap g AT], where 
AP = {p\A(p) r\IA7:^0 } and^T = { t \A(t) r\ lA 7 :^ 0} . 

b. C'(p) =IC(p) if p G IP 

= C(p) ifp G P 

c. E'(a) =IE(a) if a g lA 

= E(a) if a e ^ - ALA 

d. G'(t) =G (t) if t G T 

=IG(t) ift G IT 



3.1 Preservation of P-Invariants under Insertion T-IN 

Theorem 1 helow states that a place-invariant of a CP-net can he preserved if and only 
if, after the transformation, the weighted net flow of each of the affected transitions is 
not changed and the weighted net flow of each of the inserted transitions is 0. 

Theorem 1. Let N he transformed to Al’hy Insertion T-IN and let {/ c P - AP, A c 
AP and /"c IP. Suppose W? is a place weight-function of N with support U +A and 

W’p is a place weight-function of N’ with support U + A + E. If the following 

conditions: 

a. y pgU + A Wp(p) = W'p(p), (3.1) 

b. y t G AT, NE(t, A+E W’p ) = EE(t, A, Wp ) and (3.2) 

c. V t G IT, NE{t, A+E W’p) = 0 (3.3) 

are satisfied, then Wp is a P-invariant of N iff Wp is a P-invariant of N'. 

Proof : Let UP denote P-AP and UT denote T - AT. Suppose IPI = n and I I/PI = i, then 
lAPI = n - i. For T-IN, the incidence matrix I is changed to /'as shown helow. 



UT AT 



UP\ 


(X,. 


..X, 




..X, 


Ap\ 


Ui- 






-Y„ 





UT 


AT 




IT 


UP 


%...X, 


X'ui ■ 




^n+I 


0 ^ 
■■■ '^n + |JIl 


AP 


Yi-f 


Yfi ■■ 


■Y'„ 


Y„Pj 


■■■ Y„pjp 


IP 


y0j...0, 


Zui ■■ 




Z„+i 


■■■ 



The incidence matrix I of N Incidence matrix / 'of N' 

UP/UT, AP/AT, IP/IT: unaffected, affected, inserted place/transitions 



Fig. 3. Incidence matrix representation of Insertion (T-IN) in vertical vector format. 

In Fig. ?!,Xk (k = 1, ..., n) andX'*, (k = i+1, ..., n) are vertical | I/P| -vectors. Yt {k = 
/,..., «+|/P|) and Y'l {k = i+1, ...,«) are vertical |AP|-vectors. Zi {k = i+l,...,n+\IJ\) is 
a vertical |/P|-vector. 0, (j = 1,2,..., /) and Ot (k = n+1,..., n+\IT\) are zero |/P|-vector 
and zero |//P|-vector, respectively. Xt and Xt (k = i+1,..., n) have the following 
relationship: For j = /,..., \UP\, (Xf is the multi-set extension of function ffi(b) = 
E(tt,pj)(b) - E(pj,tt)(b), where I) is a binding of Lin TV, and iXt)j is a mutli-set extension 
of function /ji(P 'I = E'(tt,pj)(b) - E'(pj,tt)(b’), where b' is a binding of 4 in TV'. By the 
definition of T-IN, for 4 e AT and pj g UP, E'(tt,pj) = E(tt,pj) and E'(pj,T) = E(pj,T). 
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Hence, and /ji have the same form. However, since H(4) will change after the 
transformation, causing the change of Var(U), the domains of fn and fjt may be 
different. Let 14 and 14 'denote Var(U) in N and N', respectively. If b and 4 'satisfy the 
condition Vv e 14 n V't. biy) = b '(v), then fjt(b) =f'jt(b'). 

Wp can be expressed as (a fi ), where a is a | t/P| -vector such that U = { p e UP 
\a(p)\ # 0] and /? is a |HP|-vector such that A = { p & AP \ \P(p)\ ^ 0 }. Based on 
(3.1), Wp can be expressed as (a P y), where /is an |/P| -vector such that F= {p g IP 
\y(p)\ ^ 0 }. Next, we have to prove that, if Wp and Wp satisfy (3.2) and (3.3), then 
the following formula is true: 



a. 



Wp *i = omWp *r = o. 

For 4 = 1, 2,. . it is obvious that 



(3.4) 



(apy 





'xA 


(xA 




1/ = (aPr)* 


Yk 


\-^ k J 


loj 



Hence, 



iapy 



X, 



= 0 iff («Pr) ' 



(xA 



J 



b. For k = i +1, n,hy Definition 8, we have NF{th A, Wp) = P* Yt and NFftt, 
A+F W’p) = P*Y\ + y*Z,. Together with (3.2), we have P * Y, = p * Y\ + 
y * Zj. From the analysis of the relationship between Xt and X\, we have a * 
Y, =0iffa*X\ = 0. Hence, a*X, + P*Y, = 0 m a * X\ + P * Y\ + y 

*z, =0. 



Hence, we have 



(aP)* 



X, 



0 iff (aPy) 



(x\) 

Y'k 

\^k j 



c. ¥ork= n+l,...,n+ \IT\, by Definition 8, NF(pA+F,W’p) = P*Y,+ y*Zt. 



Together with (3.3), we have P* Yt+ y* Zt = 0 and 



(a p r) * 



Yp 



Hence, if Conditions (3.2) and (3.3) are satisfied, (3.4) is true. □ 



Corollary 1. Let Insertion T-IN transform N to N’, U = (P - AP) n INV and A = AP 
nINV. 

a. Suppose Wp is a P-invariant of N with support INV and W’p is a place weight- 
function of N’ with support INV + F, where /"c IP. If U, A and F satisfy 
(3.1) - (3.3), then W’p is a P-invariant of N’. 

b. Suppose W’p is a P-invariant of N’ with support INV and Wp is a place 
weight-function of N. Let F = IP r\ INV. If U, A and F satisfy (3.1) - (3.3), 
then Wp is a P-invariant of N. 

Example. As a special case of Theorem 1, Corollary 1 makes it easier to find a P- 
invariant of the transformed/original net through the original/transformed net. 



Consider Fig. 1 as an example. A4 has a P-invariant Wp = 



P2 Pb] 

X X J 



with support INV 



= {p 2 , ps}. Let U = (P - AP) n INV = {p 2 }, A=APnINV= [ps] and F = [p,}. N’^ 
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has a place weight-function Wpi =\P 2 Pi Pj i. By Corollary l.a, since U, A, /"satisfy 

X X X J 

(3.1) - (3.3), W’pi is a P-invariant of N\. Similarly, other place weight-functions Wpi 

, Wp, = (Pi P2 P3 Pi Pb'] and W’p 4 =(P Pi R R R R~\ are 
U ^ ^+2> ^ X x+2v z X 2yJ 

also P-invariants of N’a. Wp can also be determined through W’pi, W’pi, W’ps or W’p4 by 
applying Corollary l.b. 



P2 Pi P4 PS^ 

X X Z X ) 



3.2 Preservation of T-Invariants under Insertion (T-IN) 

This section considers the duals of Theorem 1 and Corollary 1. 

Theorem 2. Let A^be transformed to Al’by T-IN and U ^ T-AT, A ^ AT and /"c IT. 
Suppose Wt is a transition weight-function of N with support U + A and W’p is a 
transition weight-function of N’ with support U + A + F.W the following conditions: 



a. yt G U, Wi(t) = (3.5) 

yt e 4 Vv e Ln L', Wr(t)(v) = W'r(t)(v), (3.6) 

where V denotes Var(t) in N and L' denotes Var(t) in TV) 

b. y pG AP, NF(p, A+F W't) = NF(p, 4 ILt-; and (3.7) 

c. y p G IP, NF(p, A+F W't) = 0 (3.8) 



are satisfied, then Wj is a /-invariant of TV iff W’t is a /-invariant of TV'. 



Proof. LetUP = P-AP, UT=T-AT,\P\=m and I UP\ = d. Then, I4PI = m - /. By 
the definition of T-IN, the incidence matrix I is changed to /'as shown in Fig. 4. 





Incidence matrix / 'of TV' 

UP/UT, AP/AT IP/IT: unaffected, affected, inserted place/transitions 
Fig. 4. Incidence matrix representation of Insertion (T-IN) in horizontal vector format. 



In Fig. A, Qtik = 1 , , m) is. a. horizontal | ///| -vector. Rt(k = /,..., m+\IP\) and R \ Qc 
= 1,..., m) are horizontal |,47)-vectors. Sp (k = d+\,..., m+\IP\) is a horizontal \IJ\- 
vector. Oj (j = 1,..., d) and Op (k = m+l,...,m+\IP\) are zero |/7)-vector and zero \UT\- 
vector respectively. For k = 1, ...,d, Rt and R't have the following relationship: {Rt)j (j 
= 1,..., \AJ\) is the multi-set extension of function ft,\uT\+j(b) = E(t\ur\+j,pi)(b) - 
E(pt, t\uT]+j)(b), where b must be a binding of t^ur\+j in TV; whereas (R't)j is the mutli-set 
extension of function /( m+j(b) - E'(t\uT\+j,pt)(b) - E'(pt, t\uT\+j)(b), where b' must be a 
binding of Fji^+j in TV'. From the definition of T-IN, for pjr\+j e AT and pt e UP, 
E’(IrjT\+j,pt) = E(IuT^4j,pt) and E' (pt,I,jT^+j) = E(pt,Iur^4i) . Thus, and have the 
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same form. However, because ^(f|Kri+;) will change after the transformation, Var(tfrjT\+j) 
will also change. Wenct, ft and fi,\m+j have different domains. Let set Vj and 

set Vj ' denote Varf,jr\+j ^ in TV and TV 'respectively. If b and b ' satisfy the condition that 
Vv G Vjn V': b(v) = b '(v), then ft,\m*j(b)= f't,\m*j(b')- 

Next, we express Wt in the form (a /? ), where a is a | t/LI -vector such that {t g LIT 
aft) 7 ^ 0 }= U and /T is an I^LI-vector such that {t g AT \ \P(t)\ #0 ]= A. From (3.5) 
and (3.6), W) can he expressed in the form of (a /?' y), where /?' is the modification 
of /? based on (3.6), and yis a 1/7’1-vector such that [t g IT \ \y(t)\ ] = F. Next, we 

will show that the following formula is true if Wp and W) satisfy (3.7) and (3.8). 



I*Wr = 0 m T *W't = 0 . (3.9) 

a. For k=\,2, ... ,d, from (3.5) and the relationship of Rt and R (, we have 

Rt*P =0 in R’t*P’ = 0, and 



(QA) 



0 Iff (Qff'A) * 



P' 



b. For k = d+1, ... ,m, from Definition 8, we have NF(pt,A Wt) = Rt * P and 
NF(pt, A+F W’t) =R't * P' + St*y. Together with (3.7), we have/?i * P 
R't * P' + St* y. Hence, 

and 

(QkRk)* 



(QffJ • 



(Qff'ffp ’ 



= 0 iff (QtR\St)^ 



P' 

r ) 



= 0 



c. For k = m+l, ... ,m + \IP\ , from Definition 8, we have NF(pt, A +F W)) = 
Rt* P' + St* y. Together with (3.8), we have/?i * P' + St * y = 0. Hence, 






fat 
P' 
y ) 



Therefore, if Conditions (3.7) and (3.8) are satisfied, (3.9) is true. 



Corollary 2. Let TV be transformed to TV’ by Insertion T-IN, U = (T - AT) n INV, A= 

ATn INV and F=ITn INV. 

a. Suppose Wp is a T-invariant of TV with support INV and ILV is a transition 
weight-function of TV' with support INV + F, where /"c IT. If U, A, and F 
satisfy (3.5) - (3.8), then IL'j-is a T-invariant of TV'. 

b. Suppose W't is a T-invariant of TV' with support INV and Wp is a transition 
weight-function of TV with support U + A. If U, A and /"satisfy (3.5) - (3.8), 
then Wp is a T-invariant of TV. 

Example. As a special case of Theorem 2, Corollary 2 can he applied to find T- 

invariants of the transformed/original net from the original/transformed net. For 

example, in Fig. I, Wp, = { , I and Wp 2 = 

[<x = a,y = b> 3 <x = a,y = b>) 

( t^ y T are two T-invariants of Na. The support of Wp, is 

(^3'<x = a, y = b> 3'<x = a,y = b>) 

INV= {t 2 ,ts}.VeiU = {T -AT)r^INV = [tt] , A = AT INV = {c} andT= {L}. Wf 

= ( o ^ 7 I is a transition 

\< X = a,y = b > 3 <x = a,y=b,z=c> <x=a,y=b,z=c>) 

weight-function of N\. By Corollary 2.a, since U, A and /"satisfy (3.5) - (3.8), W’p, is 
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the r-invariant of N’a. Similarly, from Wn, we can show that W’tz = 

I 7 , I is a r-invariant of N’a. 

\3 <x = a,y=b> 3 <x = a,y=b> <x = a,y=b,z = c>j 

Conversely, given W’ti and W’ti, we can find Wn and Wn by Corollary 2.b. 

3.3 Elimination T-EL 

Elimination T-EL reverses the roles of N and N' in Insertion T-IN. The conditions for 
preserving invariants are the same as those given in Theorem 1 and Theorem 2. Some 
reductions of CP-nets [12] can be seen as special cases of Elimination. 



4 Replacement T-RE 

Replacement may be divided into two cases: Replacement-of-Places T-RP replaces a 
set of places and some adjacent arcs with other places and arcs. Replacement-of- 
Transitions T-RT is similar to T-RP except that it deals with transitions. 

Example. Pig. 5 shows that Nb is transformed to N'b by replacing the set of places AP 
= {p 4 , ps, Pa] with RP = {p' 4 , p's] and the set of adjacent arcs AR = |(C, />.(), {ts.ps), 
(t3,P6) {t4,p4), (P 4 J 5 ), (PsJs), (>5,td), (P6,t6)] With RA = {(C,/)^), (ts.p's), {t4,p'4), (p'4,ts), 
(p'sAs), (p'sJa)]. The color function RC assigns a color set to each of the 
replacing places in RP as follows: RC(p 4 ) = RC(p's) = D. The arc expression function 
RE assigns an expression to each of the arcs in RA as follows: RE(t 3 ,p' 4 ) = x+2’y, 
RE(t 3 ,p' 5 ) = 2’x+y, RE{t 4 ,p' 4 ) = x, RE{p' 4 ,ts) = 2'x+y, REip^Ae) = y, RE(p',,t,) = x and 
REQj'sJa) = x+ y. 

Por convenience in description, T is divided into two disjoint sets of transitions .4 T 
and UT, where .4 T (affected transitions) denotes those connected to at least one arc in 
RA, whereas UT (unaffected transition) denotes those not connected to any arcs in RA. 
Also, we use UP to denote P-RP. In Pig. 6 , AT = {4 4 4 4} and UP = {pi, p 2 , P3}. 
Por a transition tin AT, the guard expression may be modified because of the change 
of its adjacent arcs. We use a guard function RG,j defined on AT to reflect such 
changes. Fig. 6 shows the matrix representation of the transformation described in 
Fig. 5. 
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Fig. 5. T-RP transforms Ya into Ya by replacing the set of places AP = {p 4 ,ps,P 6 ] with the set 
of places RP - {p' 4 ,p's}. Their adjacent arcs are modified as well. 
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0 
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0 
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AT 
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-x-y 
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0 X ^ 
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-X 
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0 
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0 


-X -x-y) 



Incidence matrix of Nb Incidence matrix of N'b 

UP/UT, AP/AT: unaffected, affected places/transition; RP: replacing places 



Fig. 6. Incidence matrix representation of the transformation in Figure 5. 



Formal Description of Replacement-of-Places T-RP 

Replacement-of-Places T-RP transforms a CP-net N = <P, T, A, C, E, G> to another 
CP-net N’ = <P\ T\ A] C’, £”, G’> by replacing the set of places AP with RP and the 
set of adjacent arcs AR with RA. Associated with T-RP are a color function RC 
defined on RP and an arc -expression function RE: RA Exps for assigning functions 
or expressions to the replacing places RP and arcs RA. 

N and N' are related as follows: 

a. P' = P -AP + RP,T = TwAA’ = A-AA+RA, 

where AA ={A(p) \ p e AP} andRA c ({/l} x T’ + T’ x {p}) rA A 

p^P 

b. C'(p) = C(p) if p e P - AP 

= RC(p) ifp eRP 
= RE(a) if a e RA 
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c.. G' (t) = RG(t) ift gAT, where^T = { t\ A(t) nAA ^ 0} 

= G(t) ift G UT-AT 

Replacement-of-Places T-RP can be considered as a combination of a T-EL 
eliminating and a T-IN inserting RP. However, looser conditions for preserving 
invariants will be given in the following subsections. 

4.1 Preservation of P-Invariants under Replacement-of-Places T-RP 

Theorem 3. Let Albe transformed to Al’by T-RP and let t/ ^ P - AP, A cAP and R 
^ RP. Suppose Wp is a plaee weight-function of N with support U kj A and W’p is a 
place weight-funetion of Al’ with support Ukj R. If the following conditions: 

a. Vp G U, Wp(p) = W’p(p) and 

b. Vt gAT: NF(t, R, W’p) = NF(t, 4 Wp) 

are satisfied, then Wp is a P-invariant of N iff Wp is a P-invariant of N'. 

Proof: Let UP = P-AP, UT = T-AT, |PI = n and \UT\ = i. Then, \AT\ = n - i. By the 
definition of T-RP, the incidence matrix / will be transformed to /'as shown in Fig. 7. 



(4.1) 

(4.2) 





UT 


AT 




UT 


AT 


UP\ 


(X, ... 


X, ... x; 


— > UPi 


rx, ... 




•• 


AL> 


lo, ... 


0, yJ 


RP^ 


VO,... 


0. .. 


•• Y’J 



Incidence matrix I ofN Incidence matrix /'of N' 

UP/UT, AP/AT: unaffected, affected places/transition; RP : replacing places 



Fig. 7. Representation of Replacement-of-places (T-RP) in vertical vector format. 



In Fig. 7, Xi,..., Xi, Xi+i..., X„ X'i+,..., X'„ are vertical | (7P|-vectors and L+*..., Y„, 
Y'i+h ■■■ , Y'„ are vertieal |HP|-vectors. Similar to those in Fig. 3,Xi andX( are related in 
such a way that their yth elements (Xf and (Xf are represented by the same 
expression. However, (Xf is defined on B(tj)ss in N whereas (X'f is defined on Bffm 
in X'. Note that, for tj g AT, A(tj) is changed by the transformation, causing also 
changes to Varff. Let L)/L) denote Var(tj) in N!N', respectively. Suppose b and b 'are 
two bindings of tj in N and N\ respectively. If Vv g L) n L) ' and b(y) = b' (v), then 

{Xf{b) = {X'f{b). (4.3) 

Let Wp be of the form {a f), where a is a | UP\ -vector such that { a g UP \ \ a(a) \ # 0 
} = U and /?is a |HP| -vector such that { b gAP \ \P(b)\ #0 }= A. Then, the support of 
IFp is U KJ A. From the structural relationship of their incidence matrices, Wp can be 
expressed as (a /?'), where f is a |PP|-vector such that { v g RP \ \P’(v)\ #0 }= P- 
Next, we shall prove that, if Wp and Wp satisfy (4.2), the following formula is true: 

Wp*i = omWp*r = o. (4.4) 



By Definition 8, we have: V tt g AT, i < k < n, NF(L, A, Wp) = P * Yt, and NF(h, R, 

W’p) = P’ * Y’k. From (4.2), we have P * Yk = P’ * Y’k . 

a. For k=l,2, ... , i, it is obvious that , „ , 

’ (a p )* 



( X f\ 


f X X 


/ \ = (a PA* 


L 


1 0, J 


1 0, J 
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b. For k = i+1, ... , n, from (4.3), we have a *Xt = 0 iff a * X\ = 0. Together with 
(3.26), we have a *Xt + P*Yt = O iff a * X\ + /?' * Y\ = 0. 

X."\ 

0 ■ 









(xA 


(a f)-* 




= Oiff {a f) * 


Y' 

X k J 



Hence, if the conditions described in (4.2) are satisfied, (4.3) is true. 



Corollary 3. Let N be transformed to A^’by T-RP. 

a. Suppose Wp is a P-invariant of N with support INV. Let U = (P - AP) n INV and A 
= AP n INV. Suppose VLV be a place weight-function of N’ with support U + R, 
where R c RP. If U, A and R satisfy (4.1) and (4.2), then Wp is a P-invariant of N\ 

b. Suppose W’p is a P-invariant of N’ with support INV. Let U = (P - AP) n INV and 
R = RP n INV. Suppose Wp is a place weight-function of N with support U + A, 
where A c AP. If U, A and R satisfy (4.1) and (4.2), then Wp is a P-invariant of N. 

As a special case of Theorem 3, Corollary 3 makes it easier to find a P-invariant of 

the original or transformed net from each other. 



4.2 Preservation of T-Invariants under Replacement-of-Places T-RP 

In this section, conditions for preserving T-invariants are given in Theorem 4 whereby 
T-invariants of the transformed net can be found from those of the original net. But, 
the inverse process has not been found yet. 

Theorem 4. Let N be transformed to A’ by T-RP. If Wp is a P-invariant of N, then Wp 
is also a P-invariant of N\ provided that the following conditions are satisfied: 

a. Vt G T,B(t) is not changed under the transformation, 

b. p'„ gRP, Vtj gAT, E'(t, p„)- E'(p„,t) = 

J,Z^,*[E{tj,p,)-E{p„tj)] (4-5) 

PtsAP 



where Z„,t is a function: C(pk)Ms ^ C(p „ )ms 
Proof: By Theorem 4, the incidence matrix I is transformed to /'as shown in Fig. 8. 

UT AT 



UT 



AT 





A, 






'Q: 


R, '' 


UP 


Q d 

0 d+1 


Rd 

Rd+l 


UP 

> 


Qd 

^d+l 


Rd 

R'dP, 


AP 


d+lAFl 


Rd+lAFl J 


RP 


Ad + lRFl 


T?' 

^ d + \RP\ J 



Incidence matrix / of A Incidence matrix / ' of A ' 

UP/UT, AP/AT, RP: unaffected, affected, replacing places 



Fig. 8. Representation of Replacement-of-places T-RP in horizontal vector format. 

Next, we express W in the form (a f ), where a is a |//7l-vector and /? is a 1.471- 
vector. Now we have to prove F * W = 0. Since I * Wp = 0, we have 
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Qt *a+ Rt*P = 0 fork = 1, ... , d 
and Rt*P = 0 for k= d+1, d+\AP\. 

By (4.5), we have (R'„)i = E'(u^l, Pm.) -E'(pm, Upri) = 

d+\AP\ d+\AP\ 

k=d+l k=d+l 

form = d+l, ..., d+\RP\ and / = 1, , |,4r|. 

^ |. 47 ’| f d+\AP\ \ 

i=l i=l \k=d+l J 

d +\AF f \AT\\ 

Z £ 

k = d + 1 V i = ^ 



(4.6) 

(4.7) 



(4.8) 



\AT\ \AT\ 

Erom (4.7), we have ^ ^ = 0 and ^ z „,*(R 

i=l i=l 

fz" 2 *( R )*k ^ ^ 

k = d + 1 V i = 7 



= 0. That means 
0. Together with 



(4.6), it follows that/' *W = 0. 

Theorem 4 is useful for checking whether a T-invariant is preserved under T-RP. 
Take Eig. 6 as an example. Suppose Z,,Xj^) = x, Z 4 _s{x, y) = y, = 0, Zs. 4 {x)= 0, 
Zs,s{x, y) = X, and Zj^ij) = y. Then, the T-invariant Wj = 



h h h 4 

<x=a,y=b>-\-<x=b,y=a> 






<x=a>+<x=b> j 



of the original net is preserved under T-RP. 



4.3 Replacement-of-Transitions T-RT 

As the dual of T-RP, T-RT transforms a CP-net to another by replacing a set of 
transitions and their adjacent arcs with another set of transitions and arcs. There exist 
results similar to Theorems 3, 4 and Corollary 3. The details are omitted. 



5 Composition T-CO and Decomposition T-DC 

Composition T-CO connects two CP-nets by fusing some of their places or transitions 
in a one-to-one manner, while decomposition T-DC is the inverse process. They are 
often used in the modular analysis of a system. T-CO includes two dual classes: 
Composition-by-Eusing-Places T-CP and Composition-by-Eusing-Transitions T-CT. 

Example. Eig. 9 shows an example of T-CP, where Nc and Nd are combined into Ne 
by fusing places p,j, Pi.i into p’, and places p,, 2 , P 2.2 into p’ 2 . As shown below, the 
transformation described in Pig. 9 can be expressed in terms of a composition of 
incidence matrices (Fig. 10). Let AP 1 IAP 2 (affected places) be the set of places in 
Nc/Nd to be fused, UP/UP 2 (unaffected places) be the set of places in Nc/Nd not to be 
fused and AA 1 IAA 2 (affected arcs) be the arcs in Nc/Nd connected to the affected 
places, i.e., AA,= { (p,t) \p e AP,} + {(t,p) \p e AP,],AA 2 = {(p,t)\p e AP 2 } H- {(t,p)\ 
p G AP 2 }. A pair of affected places is fused into a new combined place. Let the set of 
combined places be AP and the set of arcs connected to the combined place be AA. In 
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Fig. 9 , UPl = {pi, P 2 , Ps}, APi = {pi.i,Pi, 2 }, AAi = {(Pu,t 2 ), (t3,Pu), (Pl.2,t3), (t4,Pl,2)}, UP2 
= {P 4 ,P 5 }, AP 2 = {P 2 , 1 ,P 2 , 2 }, AP = {p'l,p' 2 }, AA = {(p'l,t 2 ), (p'lTe), (t 3 ,p'l), (t 5 ,p'l), (t 7 ,p'l), 

(P'2,t3), (P'2,t6), (t4,p'2), (tv,p'2)}. 




Fig.9. Nc and No are combined into Ne by fusing pj i, P2.1 into p '] and pi 2, P2.2 into p'2. 
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UP1/UP2: unaffected places of Nc/Nd; APi/ AP2; affected places of Nc/Nd; 
AP\ places in Ne which are formed by fusing two places in AP and AP . 



Fig. 10. Incidence matrix representation of the transformation in Figure 9 . 



Formal Description of Composition-by-Fusing-Places T-CP 

Consider two CP-nets Ni = <Pi, Ti, Ai, Ci, Ei, Gi> and N2 = <P2, T2, A2, C2, V2, E2, 
G2>. Let Pi = UPl + APi, where APi = {pu, pi,2, ... pi,i, ... pi,m } and P2 = UP2 + AP2, 
where AP2 = {p2,i, p2,2, ... P2,i, ... P2,m}- Suppose, for i = 1 , 2 ,... , m, pu and p2,i have the 
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same set of token-colors, i.e., Ci(pi,i) = C 2 (p 2 ,i)- Composition-by-Fusing-Places T-CP 
combines Ni and Ni into a CP-net N’ = <P’, T’, A’, C’, E’, Gl> by fusing pi_i and pij 
into p’l ( i = 1, 2, ... , m ). 

N , N and N' are related in the following way: 

a. P' = UP +AP+UP , where AP = {p' , p' , ... p' , p'„ }. 

b. T’ = T + T . 

c. A' = (A -AA) + (A -AA)+AA, 

where AA = { A(p) \ p eAP }, AA = { A(p ) \ p eAP } and 

m 

^ ^ ZE ^ {(^’P'rM’Pl.r) ^ 4 } )+ 

i=l tE.Ti 
m 

yy. [{(p ' . f) I (P2.r . e 4 } + {f (’P ' ) \(f’P 'z , ^ e 4 } ) 

1=1 teT 2 

d. C'(p) = C (p) if p G UP 

= C (p) if p G UP 
= C(p ) if p = p' , for l<i<m. 

e. E'(a) = E(a) if a gA -ALA 

= E(a) if a gA -AA 

= E (p ,t) if a = (p',t ), i = 1, 2, ... , m, t'e T . 

= E (t',p )ifa = (t',p'), i = 1, 2, ... , m, f G T . 

= E (p ,t) if a = (p',t), i = 1, 2, ... , m, t's T. 

= E (t',p )ifa = (t',p'), i = 1, 2, ... , m, t' G T . 

f. G'(t) =G (t) if t G T 

= G (t) if t G T . 

5.1 Preservation of Invariants under Composition-by-Fusing-Places T-CP 

This section presents our results concerning the preservation of P-invariants and T- 
invariants under T-CP. 

Theorem 5. Let T-CP combine Ni and N 2 to form N’ by fusing the places A, = 
{pij...pii, .... Pit] of N with the places A 2 = {pib-.-Pn,.. Pu] of N 2 , resulting in the set 
of combined places A = {p’i,..p’i,..., p’t], where 1 < k <m. Let Ui ^ LIP and U 2 ^ UP 2 . 
a. Suppose W is a place weight-function of N with support U +A^W is a 
place weight-function of N with support U + A and W is a place weight- 
function of N' with support U +A + U .\f the following conditions: 



1. 


Vp gU,W (p) = W (p). 


(5.1) 


2. 


Vp G U ,W (p) = W (p) and 


(5.2) 


3. 


for /■ =1,2,..., k, W (p ) = W (p ) = W (p’) 


(5.3) 



are satisfied, then W is a P-invariant of N and W is a P-invariant of N iff 
IF is a P-invariant of N’. 

b. Suppose IF is a transition weight-function of TV with support P, IF is a 

transition weight-function of TV with support P and IF' is a transition weight- 
function of TV' with support P + P . If the following conditions: 

1. Vt G Y,W’ (t) = W (t), (5.4) 
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2. Vt G r,W (t) = W (t) and (5.5) 

3. W is a Y-invariant ofTV and iC is a Y-invariant ofTV 
are satisfied, then W is a Y-invariant of TV'. 

Proof : As shown in Fig. 1 1, the incidence matrices of N, and Nz are combined to form 
the incidence matrix ofN', where 17)1 = n, , 17)1 = Hz. Note that, for A: =7, 2,..., n,, X,,t 
is a vertical |17P,|-vector and Y,,t is a vertical |AP,|-vector. For k =7, 2,..., Hz, Yz,t is a 
vertical |AP 2 |-vector and is a vertical |LTP 2 |-vector, where |AP,| = IAP 2 I = |AP|. 

(a) Represent W as (a /?), where a is a \ UP |-vector such that {p g UP \ \a (p)\ # 

0 }= U and/? is a |,4P |-vector such that {p gAP \ \P (p)\ ^0 } =A. Hence, the 
support of IF kU + A. From (5.3), IF can he expressed as (/? a), where a is a 

1 UP |-vector such that { p g UP \ \a (p)\ #0 } = U . Hence, the support of IF is H + 

U . By (5.1) - (5.3), Wp can be expressed as (a f a ). It is then easy to prove that IF 
*1 =0andW * 1 = 0 iff W * P = 0. 

(b) From the structural relationship of TV and TV with TV) IF' can be written as (W 
W ). It is then easy to prove that if / *1F = 0 and 1 * W = 0 then P *W = 0. 
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Incidence matrix / of TV Incidence matrix / of TV Incidence matrix /'of TV' 

UP 1 /UP 2 : unaffected places of Ni/ N 2 . APi /AP 2 : affected places of N 1 /N 2 
AP: places in A'which is formed by fusing two places inAPj anAAP 2 . 



Fig. 11. Incidence matrix transformation of Composition-by-Fusing-Places (T-CP). 



Example. Theorem 5 makes it possible to find the invariants of a composite net from 

those of its components. Fig. 9 shows that | ft |is a P-invariant of Nc and 

- 1 X ) 

Pl.i Pi Ps'] a P-invariant of TVd. It follows from Theorem 5 that f P3 P'2 P4 Pj^sa 

X — 1 X X X 



P-invariant of Ne- Similarly, from the P-invariants 



of Nr 



and 



^2 h U 

<x=a,y=b> <x=a,y=b> <x=a,y=b> 

of Nd, it follows that 



<x = a,y = b> <x = a,y = b> 

k h k k b ^ is a P-invariant of T\) 

<x=ay=b> <x=ay=b> <x=ay=b> <x=ay=b> <x=ay=b>) 



5.2 Composition-by-Fusing-Transitions T-CT and Decomposition T-DC 

Similar to T-CP, T-CT combines two CP-nets into one by fusing a set of transitions. 
There exist results similar to Theorem 5. Decomposition T-DC, the inverse of 
Composition T-CO, can be defined by reversing the roles of TVj, Nz and TV'. The 
conditions for preserving invariants are the same as those given in Theorem 5. Details 
are omitted here. 
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6 Concluding Remarks and Discussion on Applications 

This paper provides the criteria for determining whether an invariant of a CP-net is 
preserved under five classes of very general transformations. They are nontrivial 
generalizations from basic Petri nets [8] and have greatly enhanced similar techniques 
limited to special transformations or to CP-nets with special structures. In this section, 
we describe two useful areas of application to strengthen this claim. However, owing 
to space limitation and the scope of this paper, our description will be sketchy and 
aims essentially at providing information on our relevant current and future research. 

A. Application to the Synthesis of Flexible Manufacturing Systems (FMS) 

In an FMS, its various parts, such as resources, loading stations, assembly 
subsystems, unloading stations, etc., co-operate under the control of a computer 
program. A major issue in handling FMSs is to synthesize the design of these 
programs. In the past, low-level Petri nets have been widely used [15,24,25,26]. 
However, because of the limitations of such Petri nets, synthesis has been restricted 
mainly to small-scaled systems. Recently, research and commercial applications have 
been extended to CP-nets. However, most of the extensions are for specification 
purposes and for special properties and transformations (mainly compositions). For 
example, Koh et al [18] showed that liveness and boundedness of a circuit are 
preserved if it is composed by fusing two components along two types of common 
directed paths. Also, Espeleta et al [13] studied deadlock prevention by proposing 
special methods for integrating the parts of an FMS. 

The techniques reported in this paper have been used [9] in a use-case approach for 
modeling and analyzing FMSs. In this approach, invariants represent important 
properties of an FMS, such as P-in variants representing the resources and P-in variants 
representing cyclic processes. Our approach can be summarized as follows: 

a. Specify each part of an FMS as a CP-net. If possible, express its properties under 
study as invariants of the CP-net. Find such invariants. 

b. Modify the CP-nets by Elimination (Section 3) if functional abstraction is desired 
or by Insertion (Section 3) if functional refinement is desired. 

c. Combine the modified CP-nets by T-CP (Section 5). Derive the invariants of the 
combined net from those of the modified component nets. 

d. Check whether the derived invariants are the same as those for the original FMS. 

B. Application to Management of Feature Interactions (FI) in Telephony Industry 

A feature, such as Call Waiting, Call Forwarding, etc, is a package of services or 
properties for enhancing the POTS (plain old telephone service) of a telephone 
system. Feature Interaction is the phenomenon that two features, while working well 
individually, cause abnormality when activated simultaneously [4,5,6,21]. Managing 
FIs is a very complex task because they may arise in many formats, such as non- 
determinism, deadlock or infinite looping, loss of original functionality, etc. The 
causes of FIs are also very diversified, ranging from violation of feature assumptions, 
limitation of network supports, to the intrinsic inadequacy of distributed systems. In 
the telephone industry, FIs are mainly discovered through exhaustive testing and 
resolved through adding modifications by experts. Such an ad hoc approach becomes 
impractical as the number and complexity of features increases greatly under 
commercial competition. 
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Recently, formal methods have been used to avoid, detect and resolve FIs. 
Kawarasaki et al [17] used T-invariants of CP-nets to reduce FIs. However, since they 
could not find T-invariants, they had to translate a CP-net to a colorless one. 
Nakamura et al [22] used P-invariants of predicate/transition nets to check the 
reachability of those states where interaction occurs. The method is efficient because 
the scope to be detected is limited. However, finding P-invariants become an issue 
specially for a complex system like telephone network. Cheung et al [6,21] first 
proposed the approach of using property-preserving transformations in the study of 
FIs. This paper provides the theoretical foundation for such an approach. A summary 
of this approach will be given below; 

a. Specify the basic system and the features each as a CP-net. As a use-case, 
some common behavior of the feature is represented by a set of T-invariants, 
and the functionality of each feature is specified as a temporal formula. 

b. To integrate features into the system, we first modify the CP-net of the 
system by replacing a set of transitions with another set. We then insert the 
CP-nets of the features into the modified CP-net. Find the T-invariants of the 
integrated Petri net. 

c. Deduce a set of firing sequences realizing the T-invariants of the integrated 
Petri net. A FI exists if any of the temporal formulas is violated over one of 
these firing sequences. 



References 

[1] M.L. Benalycherif and C. Girault, “Behavioural and structural composition mles 
preserving liveness by synchronization for colored FIFO nets”. Lecture Notes in 
Computer Science, Vol. 1091, Springer- Verlag, 1980, pp.73-92. 

[2] G. Berthelot, “Transformations and decompositions of nets”. Lecture Notes in Computer 
Science, Vol.254, Springer-Verlag, 1987, pp. 359-376. 

[3] E. Best and T. Thielke, “Orthogonal transformations for colored Petri nets”. Lecture 
Notes in Computer Science, Vol. 1248, Springer-Verlag, 1997, pp.447-466. 

[4] T.F. Bowen, F.S. Dworack, C.H. Chow, N. Griffeth, G.E. Herman, and Y.-J.Lin, “The 
feature interaction problem in telecommunications systems”, Proc. 7th lEE Int. Conf. on 
Software Engineering Telecomm. Switching Systems, 1989, pp. 59-62. 

[5] E.J. Cameron, N. Griffeth, Y.J. Lin, M.E. Nilson, W.K. Schnure and H. Velthuijsen, “A 
feature-interaction benchmark for IN and beyond”, IEEE Communication Magazine, 
Vol.26, No.3, March, 1993, pp.64-69. 

[6] T.Y. Cheung and Y. Lu, “Detecting and resolving the interaction between telephone 
features Terminating Call Screening and Call Eorwarding by colored Petri-nets”, Proc. 
1995 IEEE International Conference on Systems, Man and Cybernetics, Vancouver, Oct. 
1995,pp.2245-2250. 

[7] T.Y. Cheung, “Petri nets for protocol engineering”. Journal of Computer 
Communications, Vol. 19, No. 14, Dec. 1996, pp. 1250-1257. 

[8] T.Y. Cheung and W. Zeng, “Invariant-preserving transformations for the verification of 
place/transition systems”, IEEE Trans, on System, Man and Cybernetics, Vol. 28, No.l, 
Jan. 1998, pp.l 14-221. 

[9] T.Y. Cheung and Y. Lu, “A use case based approach to sythesis and analysis of flexible 
manufacturing systems”. Technical Report TR-98-12, Dept, of Computer Science, City 
University of Hong Kong, 1998. 




Five Classes of Invariant-Preserving Transformations on Colored Petri Nets 



403 



[10] S. Christensen and L. Petrucci, “Towards a modular analysis of coloured Petri nets’’, 
Lecture Notes in Computer Science, Vol. 616, Springer-Verlag, 1992, pp.l 13-133. 

[11] J. Ezpeleta and J. M. Colom, “Automatic synthesis of colored Petri nets for the control of 
FMS’’, IEEE Trans. Robotics and Automation, Vol. 13, No. 3, June 1997, pp. 327-337. 

[12] S. Haddad, “A reduction theory for coloured nets”. Advances in Petri Nets 1989, Lecture 
Notes in Computer Science, Vol. 424, Springer-Verlag, 1990, pp. 209-235. 

[13] K. Jensen, “How to find invariants for coloured Petri nets”. Lecture Notes in Computer 
Science, Vol. 118, Springer-Verlag, 1981, pp.327-338. 

[14] K. Jensen, “Coloured Petri nets: A high level language for system design and analysis”. 
Lecture Notes in Computer Science, Vol. 483, Springer-Verlag, 1990, pp. 342-416. 

[15] M.D. Jeng and F. DiCesare, “A review of synthesis techniques for Petri nets with 
applications to automated manufacturing systems”, IEEE Trans. Systems, Man and 
Cybernetics, Vol. 23, No.l, Jan/Feh 1993, pp.301-312. 

[16] K. Jensen, Coloured Petri Net 3, Springer-Verlag, 1997. 

[17] Y. Kawarasaki and T Ohta, “A new proposal for feature interaction detection and 
elimination”. In Feature interactions in Telecommunication Systems III (K. E. Cheng and 
T. Ohta, eds.), lOS Press, 1995, pp. 127-139. 

[18] I. Koh and F. DiCesare, “Synthesis rules for colored Petri nets and their applications to 
automated manufacturing system”, Proc. 1991 IEEE International Symposium on 
Intelligent Control, Aug. Virginia, pp.l 52- 157. 

[19] C. Lakes, “On the abstraction of coloured Petri nets”. Lecture Notes in Computer 
Science, Vol. 1248, Springer-Verlag, 1997, pp.42-61. 

[20] H.K.Lee, “Generalized Petri net reduction method”, IEEE Trans. System, Man, and 
Cybernetics, Vol. SMC-17, No.2, March/ April 1987, pp.297-302. 

[21] Y. Lu and T. Y. Cheung, “Feature Interactions of the livelock type in IN: a detailed 
example”, Proc. 7* IEEE Intelligent Network Workshop, Bordeaux, 1998, pp. 175- 184. 

[22] M. Nakamura, Y. Kakuda and T. Kikuno, “Petri-net based detection method for non- 
deterministic feature interactions and its experimental evaluation”. In Feature 
Interactions in Telecommunications Systems IV (P. Dini, R. Boutaba and L. Logrippo, 
eds), lOS Press. 1997, pp. 138-152. 

[23] Y. Narahari and N. Viswanadham, “On the invariants of coloured Petri nets”. Lecture Notes 
in Computer Science, Vol. 222, Springer-Verlag, 1986, pp.330-345. 

[24] M. Silva and R. Valette, “Petri nets and flexible manufacturing”. Lecture Notes in 
Computer Science. Vol. 424. Springer-Verlag, 1990, pp.374-417. 

[25] M.C. Zhou, F. DiCesare, and A.A. Desrochers, “A hybrid methodology for synthesis of 
Petri net models for manufacturing systems”, IEEE Trans. Robotics and Automation, Vol. 
8, No.3, Jun. 1992, pp.350-361. 

[26] R. Zurawski, “Verifying correctness of interfaces of design models of manufacturing 
systems using functional abstractions”, IEEE Trans.Industrial Electronics, Vol . 44, No . 3, 
Jun. 1997, pp. 307-320. 




Verifying Intuition — ILF Checks DAWN Proofs 



Thomas Baar^*, Ekkart Kindler^**, and Hagen Volzer^*** 

^ Humboldt-Universitat zu Berlin, Institut fiir Mathematik 
D-10099 Berlin, Germany 

^ Humboldt-Universitat zu Berlin, Institut fiir Informatik 
D-10099 Berlin, Germany 



Abstract The DAWN approach allows to model and verify distributed 
algorithms in an intuitive way. At a first glance, a DAWN proof may ap- 
pear to be informal. In this paper, we argue that DAWN proofs are formal 
and can be checked for correctness fully automatically by automated the- 
orem provers. The basic technique are proof rules which generate proof 
obligations. For the definition of the proof rules we adopt assertions 
and we introduce conflict formulas for algebraic Petri nets. Experiments 
show that the generated proof obligations can be automatically checked 
by theorem provers. 



Introduction 

It is a hard task to present a formal proof in an intuitively understandable way. 
Often, many details which are necessary for formal correctness obscure the basic 
idea of the proof. As a result, proofs are either formalistic rather than formal or 
proofs are sloppy rather than intuitively understandable. 

The Distributed Algorithms Working Notation (DAWN) was de- 

veloped to model and verify distributed algorithms in an intuitive way. Proofs are 
on a high level of abstraction which helps to focus on the basic idea rather than 
on formalistic details (e.g. pBSI)’ Due to the high level of abstraction, some 
details might be easily overlooked — resulting in an understandable but wrong 
proof. In this paper, we show how to avoid this problem: We introduce concepts 
and techniques which allow to automatically check DAWN proofs for correctness. 
Missing formal details (proof obligations) in DAWN proofs can automatically be 
added. With these details added, the proof can be checked by help of automated 
theorem provers. This way, we build a bridge from DAWN proofs to automated 
theorem provers and we reconcile the requirement of intuitive understandability 
and formality of proofs. 

The basic idea for the generation of the proof obligations are proof rules based 
on assertions and conflicts formulas, which syntactically characterize conflicting 
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transitions. Our experiments have shown that theorem provers can automat- 
ically prove the generated proof obligations within a reasonable time. For our 
experiments, we have used the lLF-systen| which provides an interface to 
many automated theorem provers. 



1 The Example 

Before introducing the concepts in detail, we briefly introduce DAWN by an 
example. The example shows how to model and verify distributed algorithms in 
DAWN. We consider a simple protocol of negotiating agents (cf. 

1.1 Modelling 

In DAWN, distributed algorithms are modelled by a particular kind of algebraic 
Petri nets The model of the negotiation protocol is shown in Fig.^ 

We assume that there is a set of agents U participating in the negotiations. 
Moreover, we assume that agents do not meet personally, but communicate by 
sending and receiving messages. Each agent x G U may adopt two states: Either, 
it agrees to the current state of the negotiations or it still wants to negotiate. 
In the Petri net model, these two states are represented by either a token x on 
place agreed or a token x on place negotiating. Initially, all agents are negotiating 
which is represented by the inscription U at place negotiating. 

The possible actions of a negotiating agent x G U are represented by the 
transitions tl, t2, and t4: 

tl: An agent x G U may make a new proposal to some other agent y G U . 
In order to send a new proposal, agent x uses a dedicated envelope. In the 

^ Ilf is an acronym for Integrating Logical Functions. 
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system net, an envelope is modelled by a token (a;,?/) on place envelopes, 
where x is the sender and y is the receiver. Sending the envelope is modelled 
by removing the token (x, y) from place envelopes and putting a token (y, x) 
on place mailbox. Note that we do not represent the contents of a message 
in this model. 

t2: Another action of a negotiating agent x G U is taking a message from its 
mailbox. Then, it also returns the envelope to the sender y of this message. 
As we have seen before, a message from y to a; is represented by a token 
{x,y) on place mailbox. 

t4: The last action of a negotiating agent a; € [/ is to agree to the current result 
of the negotiations. But, it may only do so if all its envelopes have been 
returned. The arc-inscription x x U (short for {a;} x U) guarantees that 
every envelope of x has been returned. 

An agent x G U which has already agreed to the result of the negotiations must 
resume the negotiations, when it receives a message from some agent. Upon 
receipt of the message, it returns the envelope to the sender. This action is 
modelled by transition t3. 

Altogether, the system net from Fig. J models the complete behaviour of 
the negotiation protocol, though we have not fixed the set of agents U yet. 
Indeed, the protocol works for any concrete choice of U. We use this kind of 
parameterization for modelling and verifying algorithms for any number of agents 
and different kinds of communication networks. 



1.2 Specification 

Now, we show how to formalize properties of the algorithm by help of two ex- 
amples. The first property is: Whenever all agents x G U have agreed, there is no 
message left in any agent’s mailbox. This property is denoted by the temporal 
formula 

□ (Vx G U : agreed(a;)) (Vy, z G U : ^mailbox(y, z)) 

where agreed(x) means that a token x is on place agreed and mailbox(y, z) means 
that a token (y, z) is on place mailbox in a given state. The other operators are 
interpreted as usual. The preceding temporal operator □ (read ‘always’) says 
that the formula holds true in every reachable state. Therefore, this property is 
called an invariant. The second property is: Whenever there is a message from 
agent y in the mailbox of agent x, agent x will eventually resume the negotiations. 
This is denoted by 



x,y GU : mailbox(x, y) O negotiating(a:) 

The temporal operator O (read ‘leads-to’) says that on each state satisfying 
mailbox(x, y), there will eventually follow a state satisfying negotiating(a:). 

In DAWN, we have some more operators (e.g. ‘unless’). In this paper, how- 
ever, we concentrate on invariants and leads-to formulas. The concepts presented 
in this paper can be easily transferred to the other operators of DAWN. 
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(1) □ negotiating + agreed = U 

(2) □ negotiating x ?7 + envelopes > U x U 

(3) □ envelopes + mailbox — U x U 

(4) □(V® G U : agreed(a;)) => (Vi/, z G U : ^mailbox(j/, 2 :)) 

Tab lei. A proof of the invariant 



1.3 Verification 

The above properties seem to be pretty obvious — at least after some time of 
thinking over the protocol. Still, these properties should be verified. Table | 
shows a DAWN proof of the first property. The proof is organized in lines. 
Each line consists of three parts: the line number, the proven property, and 
the proof argument. For example, the proof argument in lines (1) and (3) state 
that the invariants follow from the net’s place invariants negotiating + agreed and 
envelopes+mailbox where place invariants are represented as linear expressions as 
introduced in place symbols are bag-valued variables. In a given marking, 
these variables are assigned to the marking of the corresponding place. The 
expression mailbox denotes the bag in which each pair of mailbox occurs reversed. 
The proof argument Individual trap of line (2) refers to a particular version of 
a trap generalized to high-level nets which will be explained in more detail 
later. Basically, the individual trap says that in each reachable marking the 
expression negotiating x U + envelopes contains every pair {x,y) G U x U. Line 
(4) says, that the invariant immediately follows from the invariants proven in 

(1) -(3): Assume that all agents have agreed. Then, we know by (1) that no agent 
is negotiating any more, which implies that negotiating x U is empty, too. By 

(2) , we know envelopes > U x U. In combination with (3) follows that mailbox 
is empty. 

Though, we gave some additional arguments in the text and omitted ar- 
guments for place invariants and individual traps, we claim that the proof of 
Table | is formal and complete: We will show how to automatically add all 
missing details and how to check these details by help of automated theorem 
provers. 

Before, let us briefly discuss the proof of the leads-to property which is shown 
in Table B The oroof argument refers to a so-called proof graph which has been 
first introducecj in Q. For a state which satisfies mailbox(rc, y) we know by 
invariant (1) that either agent x is still negotiating or has already agreed. This 
proof argument is represented in the proof graph by the annotation Ref I (1) 
at node 1. From a state which satisfies mailbox(a;, y) A a greed (a;) we know that 
the occurrence of transition t3 will eventually establish negotiating(a;) which is 
captured by argument Progress t3 at the arc leaving node 2. 

In the rest of this paper, we present techniques which allow to check the cor- 
rectness of the above DAWN proof in a fully automatic way. Assertions (Sect.^ 

^ called proof lattice by Owicki and Lamport 



Place invariant 
Individual trap 
Place invariant 
Weakening (1), (2), (3) 
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(5) x,y gU : mailbox(a:, y) > negotiating(a:) Proof graph A 



Proof graph A: x^y G U 
1: mailbox(x, y) 



3: negotiating(a:) 



Ref I (1) 



Progress t3 



2: mailbox(a:, y) A agreed(x) 



Table2. A proof of the leads-to property 



and conflict formulas (Sect.fl are used in proof rules (Sect.fl for generating 
proof obligations from a DAWN proof. In Sect. Q we will present all obliga- 
tions for the above example along with experimental results of some theorem 
provers. In Sect.J we argue why the experimental results are relevant for other 
examples, too. Note, that we do not proof our results in this paper. The proofs 
can be found in the extended version of this paper Q. 



2 Formalization of the Model 

This section formally introduces the two central elements of DAWN : Algebraic 
system nets and temporal formulas. Formal definitions of prerequisites such as 
bags, algebras, signatures, variables, and terms can be found in the Appendix. 
Readers familiar with algebraic system nets and temporal logic can skip this 
section at first reading. 



Bag- signatures and -algebras. Let SIG = (S', OP) be a signature and GS, BS C 
S; BSIG = (S, OP, bs) is a bag-signature iff bs : GS BS is a bijective mapping. 
An element of GS is called ground-sort, an element of BS is called bag-sort of 
BSIG. A S/G-algebra A is a BSIG-algebra if for each s G GS holds A{,s(g) = 
B(A«), where B(Ag) denotes the set of all bags over Ag. 

In the following, we assume that a bag-signature BSIG has a sort sym- 
bol bool G S and in each PS/G-algebra the corresponding domain is Abooi = 
{true, false}. Furthermore, we assume that, for each bag-sort, the usual bag op- 
erations (e.g. • -I- •, [•],[]) are predefined. A bag-signature BSIG = (S, OP,bs) is 
a specialized signature SIG = {S, OP) and by definition each PS'/G-algebra is a 
5/G-algebra. Therefore, variables, terms, assignments, evaluations, and substi- 
tutions are defined for bag-signatures, too. 

If A is a P5/G- variable set, then the set of all Pb'/G-terms over X of sort s is 
denoted by the set of all terms of any sort is denoted by 

and the set of all ground terms of sort s is denoted by 
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Algebraic system nets. Let BSIG = {S, OP, bs) be a bag-signature with bag-sorts 
BS. An algebraic system net E = (N,A,X,i) over BSIG consists of 

1. a finite net N = (P,T,F) where P is sorted over BS, i.e., P = {Ps)sgbs is 
a bag-valued BSIG -variable set, 

2. a BSIG-Algehra A, 

3. a sorted BSIG-variahle set X disjoint from P, 

4. a net inscription i : P UTU F such that 

(a) for each p G Ps '■ i{p) € 

(b) for each t GT : i{t) G and 

(c) for each t G T, and for each p G Pg with f = [t,p) G F or f = [p,t) G F 
holds i{f) G 

For a place p G P, the inscription i{p) is called symbolic initial marking of p; 
for a transition t G T the term i{t) is called guard of t. Note that a place is 
considered to be a variable and the sort of a place is a bag-sort. 

Pre- and post- substitution. For each transition t of an algebraic system net E, 
we define the two substitutions t~,t~^ : P ^ T^^^'^{X), called pre- and post- 
substitution respectively, by: 

f-(A = I ^ ^ t+(n)= I ^ ^ 

[ [] otherwise [ [] otherwise 

Markings, actions, and occurrence. Let BSIG be a bag-signature and E be an 
algebraic system net. A marking M of E is an assignment for P. The marking 
Mo with Mq{p) = P^{i{p)) for each p G P, where /?0 denotes the evaluation of 
ground terms, is called the initial marking of E. We define addition and inclusion 
of markings elementwise as for bags. The empty marking is denoted by 9. 

Transitions of algebraic system nets occur in modes. A mode p is an assign- 
ment for X. If p is a mode and t G T is a transition, then t.p is called an action. 
With each action t.mwe associate two markings pt~ and pt~^, called premark- 
ing and postmarking respectively. In the following, we only consider algebraic 
system nets in which for each transition t and each mode p, the markings pt~ 
and pt~^ are nonempty (see | for further explanation). 

By help of these markings, we define enabledness and occurrence of actions 
as follows: In a given marking Mi, action t.p is enabled if there exists a marking 
M such that Mi = pt~ -I- M and p{i{t)) = true. Then, t.p may occur, which 
results in the successor marking M 2 = M + pF' . We denote the occurrence of 
t.p by Ml M 2 . 

Remark 1. In the following, we employ terms over mixed variable sets, for ex- 
ample a term <p G T^fJi^{P U Y). Since P and Y are assumed to be disjoint, 
an assignment M for P (i.e. a marking) and an assignment j3 for Y can be 
canonically composed to an assignment for PUY which is denoted by M^. 

® pt~ denotes the sequent application of substitution t~ and evaluation p. 
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Temporal formulas. Let E be an algebraic system net and K be a variable set. 
A boolean term ip G '^boJi'^0^ U P) is a state formula; p is valid in a marking 
M under assignment P of variables Y, denoted by Mp \= <p Mp{ip) = true. 
If If and if are state formulas and y G Y, then ipAif, and Vy : ip are 
state formulas; validity for them is defined as usual. Note that validity of state 
formulas is defined with respect to some algebra A. Let algebra A be fixed from 
now on; thus, validity means validity w.r.t. A. 

If p and ip are state formulas, then □ p and p t> ip are temporal formulas; □ p 
is valid in a run p = (Lf, r) under P if for all states Q of p we have {r{Q))p ^ p, 
where r(Q) denotes the marking associated with Q in p. A formula p \> ip is, 
valid in p under P if for each state Q of p with {r{Q))p ^ p there is a state 
Q' of p such that Q' is reachable from Q and {r{Q'))p ^ ip. We say a temporal 
formula <l> is valid in E, denoted A ^ if is valid in each run of E under 
each assignment p. 

Substitution Lemma. In the Appendix we have defined substitutions for terms, 
where each variable of a term is consistently replaced by a term of the same sort. 
We can also apply a substitution cr to a state formula p. However, we need to 
take care of bound variables. All bound variables must consistently be replaced 
by some fresh variables which do not occur anywhere else. A formal definition of 
substitution for formulas requires some technical effort and is therefore omitted. 
We rather state one important property of substitutions when defined in a proper 
way, which is known as the Substitution Lemma: For a formula p, a substitution 
(T, and an assignment P holds P ^ cr{p) if and only if Pa ^ p. 



3 Assertions for Petri Nets 

Since the work of Hoare assertions play a central role in almost all verific- 
ation techniques for sequential and parallel programs Q. Moreover, assertions 
are the formal basis for most temporal logics (e.g. For some pro- 

gram statement s and two state formulas p and ip, the assertion {p} s {ip} is 
valid if executing statement s from a state which satisfies p results in a state 
which satisfies ip. One reason for the success of assertions are the structural 
verification techniques for assertions. For example, an assertion for an assign- 
ment {p} X := e {ip} is valid, if and only if the state formula p[x <— e] ^ ip 
is valid, where p[x <— e] results from p by substituting expression e for every 
(free) occurrence of variable x. This reduction of the validity of an assertion to 
the validity of a state formula is a combination of Hoare’s Axiom of Assignment 
and Rule of Consequence. 

However, there is a fundamental difference between a transition of a high-level 
net and an assignment statement of a parallel or sequential program: A transition 
can occur in different modes. The distinction of different modes will be crucial for 
some verification techniques based on assertions. Therefore, we need to capture 
assertions for an action t.p, in some way. The problem, however, is that p, is 
semantical in nature because it refers to the algebra and not to the signature. In 
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order to cope with this problem, we define assertions for action schemes, where an 
action scheme is a pair of a transition t and a finite substitution a denoted by t. a. 
The action scheme t.a represents the set of actions {t.j3a \ (3 is an assignment}. 
As already suggested by the same notation for actions and action schemes we 
will not always make a clear distinction between actions and action schemes. 

Definition 1 (Assertion). Let E = {N,A,X,i) he an algebraic system net, 
let t be a transition of E, let Y be some set of variables, let a : X ^ 
be a finite substitution, and let tp and ip be state formulas (with variables P and 
Y ). We call {p] t.a {%(} an assertion. The assertion is valid if for each two 
markings M and M' of E and each assignment (3 : Y ^ A with ^ p and 

M M' we have M'^ |= ip. 

For example, the assertion {mailbox(a;, y) A agreed(a;)} tS.id {negotiating(a;)} 
is valid for our example from Fig.^ where id denotes the identical substitution. 
In the rest of this section, we will reduce the validity of an assertion to the 
validity of a state formula. To this end, we define two substitutions '^t and P for 
a given action scheme t.a. 

Definition 2 (Pre- and Postsplit Substitutions). For an action scheme t.a 
of an algebraic system net, we define the substitutions '^t : P ^ y 

and P : P ^ yBSiG y = p at~ (p) and P (p) = p + aA{p) for 

every place p of E. 

Basically, '^t{p) splits each place (resp. its marking) into two parts: at~{p) 
represents those tokens which are consumed frpm p by action t.a', p represents 
the remaining tokens at p. Similarly, P splits the place p into those tokens aA{p) 
which are added to p by the occurrence of action t.a and the remaining tokens 
at p. Now, we can reduce the validity of an assertion to the validity of a state 
formula. 



Proposition 1. An assertion {p\ t.a {ip} of an algebraic system net E is valid, 
iff the following state formula is valid in the underlying algebra A of E: 

h Acr(z(f))) =At‘"(V') 

The proof of Prop.His similar to the proof of Hoare’s Axiom of Assignment, 
which exploits the Substitution Lemma (see H). As an example of an application 
of Prop. H the assertion {mailbox(a;, y) A agreed(a;)} tS.id {negotiating(a;)} can 
be reduced to the validity of the following formula: 

((mailbox + [(a;, y)])(a;, y) A (agreed + [a;])(a;))) => (negotiating + [a:])(a:) 

This formula is obviously true because x occurs in the bag (negotiating + [a:]). 
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4 Conflict Formulas 



The idea for proving a leads-to property Lp \> 'ip is quite simple: We choose some 
action t.a which is enabled in each state satisfying ip. Moreover, this action 
should establish when it occurs, which can be expressed by {true} t.a {ip}. The 
problem, however, is that another action u.t could occur which disables action 
t.a and does not establish tp. Then, we say that the two actions are in conflict. 
On the other hand, it could be that all actions in conflict to t.a also establish ip. 
If this is proven, then we also proved cp \> ip. In order to argue on those actions 
which are in conflict to t.a, we introduce a conflict formula CONFLiCT(t.(j, u.t) 
which is true in those states in which both actions may occur, but are in conflict. 
With this formula, we formalize that the occurrence of conflicting actions also 
establish ip by: for all t' : {cONFLiCT(t.<T, t'.new)} t' .new {ip}. The substitution 
new replaces each variable of the net by a fresh variable. 

Before introducing conflict formulas, let us rephrase the definition of a con- 
flict. Two actions are in conflict in a state if the premarkings of the two actions 
are not disjoint. Additionally, we require for two actions being in conflict that 
they have different effects, i.e. different premarkings or different postmarkings. 

Definition 3 (Conflict). Let S he an algebraic system net and M he a marking 
of E. Two actions t.p, and u.v are in conflict in M if both actions (i) are enabled 
in M , (ii) do not have disjoint premarkings, i.e. p,t~ n vu~ 9, and (Hi) do not 
have the same effect, i.e. p,t~ uu~ or i/u'^ . 

For an action scheme t.a the state formula ENABLED(t.(r), defined by 
ENABLED(f.(r) = ( at~ (s) < s) A a{i{t)) 

characterizes enabledness of an action specified by t.a. Disjointness of the cor- 
responding premarkings is expressed by 

DiSJOiNT(t.(j, u.r) = y/y at~{s) nru“(s) = []. 

The state formula SAME(t.<T, u.t), defined below, expresses that two actions have 
the same effect: 



SAME(t.(j, u.r) = /y at (s) = Tu (s) A at'^(s) = Tu~^(s) 

sG'tVuUfUu’ 



Together we get 

CONFLICT(t.(7, u.t) 



ENABLED (f.cr) A ENABLED (u.r) A 
^DISJOINT(t. cr, U.t) a ^SAME(t.a, U.t) 



Proposition 2. Let E he an algebraic system net, M he a marking of E, and 
pj be an assignment. Then, we have Mp ^ enabled(A(t) if and only if t.fda is 
enabled in M , and we have Mp ^ CONFLiCT(f.(r, u.t) if and only if t.(3a and 
u.(3t are in conflict in M . 
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Examples. In our example, tl. cr and t3.r are not in conflict for any substitutions 
a and r. Actions t2.a and t3.r are in conflict in the initial marking if a{x) = 
t(x). a transition can be in conflict with itself as we have for t2.a and t2.r if 
cr(x) = t(x) and cr(y) ^ T{y). Transition t4 is never in conflict with itself. 



5 Rules 

In this section, we present the basic proof rules of DAWN. These rules are 
based on assertions and conflict formulas. For each proof argument in a DAWN 
proof, there is one proof rule which can be used to generate all proof obligations 
necessary for checking the formal correctness of the argument. This way, the 
proof rules formalize and generalize Reisig’s pick-up rules 

Since the generation of proof obligations is going to be automated, the rules 
are structured in such a way that all premises of the rule can be generated from 
the rules name, the formula to be proven, and some additional parameters. The 
allowed parameters depend on the particular rule. But, there is one parameter 
which occurs in almost every rule: a list of already proven invariants. In an 
application of a rule, we refer to these invariants by a list of line numbers in 
which these invariants have already been proven (cf. Weakening in TableJ. In 
the rule itself, we refer to the conjunction of this list of invariants (where □ has 
been stripped) by symbol I. If no invariant is given as a parameter for /, then 
true is the default. 



5.1 Rules for Invariants 

Let us start with two standard rules for verifying invariant properties — Invariance 
and Weakening: 

Invariance I : invariant (optional) 

1. h *(v^) 

2. for alH G T: {ip 1} t.new {p} 

□ p 

Rule Invariance says that Op holds, if p holds in the initial state (1.) and, for 
all possible occurrences of an action, p holds after the occurrence of the action, 
if p A I holds before the occurrence. Note that the use of substitution new 
guarantees that the rule captures every action t.p. Rule Weakening allows to 
conclude an invariant from already known invariants by implication. 

The two rules Invariance and Weakening are semantically complete (cf. |) for 
proving all invariants of an algebraic system net. So, from the completeness point 
of view, no other rules are necessary. From the perspective of intuitive proofs, 
however, we need further rules which capture the concepts of place invariants, in- 
dividual traps, and some further Petri net techniques. Here, we restrict ourselves 
to a rule for place invariants and a rule for individual traps as formalized in 
Other techniques proposed in can be formalized in the same way. 



Weakening I : invariant (optional) 
l.\= I ^p 

□ p 
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A place invariant e is a linear expression, which does not change its value for 
any occurrence of an action. Linearity of e can be checked syntactically. For some 
linear expression e G X) and some term v G T’^^‘^(X) we have the 

following rule; the renaming of variables in e by first applying substitution new 
guarantees that variables in the arc inscriptions do not collide with variables in 
the expression. 

Place invariant 

1. \= i{e) = V 

2. for allt G T: ^ i{t) t~ {new{e)) = {new{e)) 

Oe = V 

An individual trap is some bag- valued linear expression e such that for some 
set V each transition which removes some item x G V from e also adds at least 
one item x, again. If each x G V occurs in e in the initial marking, we know 
that each x G V does occur in e in all reachable markings — denoted by □ e > y. 
More precisely, we get the following rule: 

Individual trap 

1. ^ i{e) > V 

2. for alltGT: \= (i{t) A t~ {new{e)){x)) t'^{new{e)){x) 

ae>V 



5.2 Rules for Leads-to Properties 

Next, we consider proof rules for leads-to properties. We start with the so-called 
progress rule Q: 



Progress t 

a : optional (default id) 

^ : optional (default true) 

I : invariant (optional) 

1. {(</5 V^) A /} t.a {r/:} 

2. \= if A I ^ ENABLED(t, a) 

3. for all t' G i*t)*: {((/? V A / A CONFLiCT(f.(r, t'.new)} t' .new {r/>} 

4. for all t' gT: {{ip V A /} t' .new {tp V ^ V r/>} 

O r/> 

Note that for ^ = true and / = true (the default) the first premise simplifies 
to {true] t.a {r/>}, the third premise simplifies to {cONFLiCT(t.(r, t' .new)] t' .new 
{r/>}, and the fourth premise is always true because true occurs on the right-hand 
side of the assertion. When generating the obligations for this default case, we 
will generate these simplified premises and omit the fourth premise. For this 
special case, the correctness of rule Progress can be easily seen: By 2., we know 
that t.a is enabled when ip holds; by 1., we know that ip is valid once t.a occurs. 
Due to the progress assumption either t.a or some conflicting action will occur. 
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By 3., we know that all occurrences of conflicting actions also establish ip. The 
optional formula ^ can be used to strengthen the precondition of the assertions; 
^ is valid as long as neither t.a nor any conflicting transitions occur. The next 
rule exploits the fact that leads-to is reflexive. 

RefI I : invariant (optional) 

1. \= {ip /\ I) ^ Ip 

if \> Ip 

The above two rules in combination with the rules Transitivity and (infinite) 
Disjunction (cf. UNITY Hi would give us a semantically complete proof sys- 
tem for interleaving leads-t(J Again, we introduce another rule which allows to 
present proofs in a more intuitive way: proof graphs which are similar to proof 
lattices ^9 and proof diagrams ^3- 

A proof graph is a acyclic finite directed graph with exactly one node without 
in-going arcs and exactly one node without outgoing arcs. We call these nodes 
start and end of the proof graph, respectively. Each node is inscribed by a state 
formula, and each node except the end node is inscribed by some proof argument. 
Let us assume that the start node is inscribed by (p and the end node is inscribed 
by Ip; then the proof graph verifies p > ip, ii each proof argument associated 
with the (non-end) nodes verifies po > ipiM . . .\/ ipn, where po is the inscription 
of the node and ipi are the inscriptions of all successor nodes in the proof graph. 

For example, consider the proof graph from Tabled again. The proof ar- 
gument for node 1 is the RefI rule with invariant (1). This argument proves 
x,y G U : mailbox(a;, y) \> (mailbox(a;, y) A agreed(a;)) V negotiating(a;). The proof 
argument for node 2 is the Progress rule with transition t3 as parameter. In 
principle, a node of a proof graph could also have a proof graph as an argument; 
we only need to take care that there are no cyclic dependencies. 

6 The Example Revisited 

With the proof rules from Sect.^ we have finished the bridge from DAWN proofs 
to automated theorem provers: A proof consists of a sequence of applications of 
DAWN rules. Checking correct application of each DAWN rule reduces to check- 
ing the validity of state formulas and assertions. The validity of an assertion, in 
turn, reduces to the validity of a state formula. Altogether, checking the correct- 
ness of a DAWN proof reduces to checking the validity of a set of (first order) 
predicate logic formulas, which are called proof obligations. Checking the validity 
of a proof obligation is the domain of automated theorem provers — there often 
called proving or solving a proof obligation. 

In this section, we present the proof obligations which have been generated for 
our example. Moreover, we answer the question whether theorem provers succeed 
on checking these obligations. Table^^hows all 21 proof obligations generated for 



^ By interleaving leads-to we understand the usual leads-to operator (e. g. UNITY |) 
on sequential runs rather than on non-sequential runs as in DAWN. 



416 



Thomas Baar, Ekkart Kindler, and Hagen Volzer 



(1.1) 


[*] + [] 
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[^] + D 






(1.2) 


[*] + [] 
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[^] + D 






(1.3) 


[] + [*] 
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[t] + D 






(1.4) 


[*] + [] 


= 


D + [t] 






(1.5) 


U + [] 




u 






(2.1) 


([x] xU+ [{x,y)]){z) 




([x]xf7 + [])(, 


z) 




(2.2) 


{[x]xU+l]){z) 




([x] xU + i(t/, 


x)]){z) 




(2.3) 


{[]^U+[]){z) 




{[x]xU + [(t/, 


x)]){z) 




(2.4) 


([x] X [/ -|- [x] X U){z) 




(il X H -1- [x] X 
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U xU + U xU 
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U xU 
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[M] + [] 




[] + [(?/,*)] 
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D + [(t,J/)] 
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[(y, *)] + [] 
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D + [(t,S/)] 
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[x]xU + [] 




[x]xU + [] 
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UxU + [] 
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U xU 
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(envelopes + mailbox = U x U)) 




((Vx G U : agreed (x)) 










^ (Vy, z£U-. 


^mailbox(j/, z))) 


(5.1) (r 


legotiating + agreed — U A mailbox(x, y)) 


=> 


(negotiating(x) 
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(mailbox(x, y) 


A agreed (x))) 


(5.2.1) 


true 


=> 


(negotiating -|- 


[x])(x) 




(5.2.2) 


(mailbox(x, y) A agreed (x) 




[x] < agreed A 


[(®>y)] < 


mailbox) 


(5.2.3.1) 


([x] < (agreed + [x']) 


A 


[(®,y)] < (mail 


box -I- [(x' 


\y')]) 




A[x'] < (agreed + [x']) 


A 


[(x', y')] < (mailbox -|- [(: 


x\y')]) 


A 


-([x]n[x'] = []A[(x,y)]n[(x',y')] = D) 












A^{[x] = [x']A[{x,y)] = [{x',y')] 


A 


[{y,x)] = [{y',: 


x')] A [x] = 


= M)) 






=» 


(negotiating -|- 


[x'])(x) 




(5.2.3.2) 


([x] < (agreed + [x']) 


A 


[{x,y)] < (mail 


box -I- [(x' 


\v')]) 




A[x'] < (negotiating + [x']) 


A 


[(x', y')] < (mailbox -|- [(: 


x\y')]) 




A-([(x,y)]n[(x',y')] = D) 










A 


>-([x] = DA[] = [x']A[(*,y)] = [(*',y')] 


A 


[{y,x)] = [{y',: 


x')] A [x] = 


= M)) 






=> 


(negotiating -|- 


[x'])(x) 





Tables. Proof obligations for the example 



the DAWN proof from Sect.^Jwhere we have omitted preceding quantifications: 
Each variable v occurring freely in an obligation is actually quantified by Vu G U. 
Although none of these obligations is a mathematical challenge, some obligations 
are syntactically quite complex. Often, even simple looking obligations cannot 
be checked by theorem provers fully automatically. Therefore, it is not clear at 
all whether the proof obligations generated from a DAWN proof can be proven 
by a theorem prover fully automatically. 

In order to answer this question, we started different theorem provers in 
parallel competition on each of the above obligations. The competition was car- 
ried out between the provers Setheo, Spass, Otter, and Protein. Table J 
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Task 


Best prover 


Time in sec. 


Task 


Best prover 


Time in sec. 


(1.1) 


Setheo 


0.02 


(3.1) 


— 




(1.2) 


Setheo 


0.02 


(3.2) 


— 




(1.3) 


Setheo 


0.02 


(3.3) 


— 




(1.4) 


Setheo 


0.01 


(3.4) 


Setheo 


0.01 


(1.5) 


Setheo 


0.02 


(3.5) 


Spass 


17.62 








(4.1) 


— 




(2.1) 


— 




(5.1) 


Spass 


1.70 


(2.2) 


Setheo 


0.05 


(5.2.1) 


Setheo 


0.02 


(2.3) 


Spass 


1.93 


(5.2.2) 


Setheo 


0.03 


(2.4) 


Setheo 


0.05 


(5.2.3.1) 


Setheo 


12.86 


(2.5) 


Setheo 


0.02 


(5.2.3.2) 


Setheo 


2.35 



Table4. Experimental results without preprocessing 



shows the winning prover for each obligation along with its termination time in 
seconds. For each obligation, a time limit of 2 minutes has been imposed. For 
some obligations (e.g. (2.1)), no prover was able to complete the task within this 
limit. These results shows that most (including syntactically complex) formulas 
can easily be checked. Some obligations, however, caused difficulties. In Sect. ^3 
we deal with these difficulties and present final results. 

Although Otter and Protein did not win any competition, these provers 
solved a lot of obligations. If an obligation is solvable by a variety of provers, it 
belongs to a class of good solvable problems. But, there are obligations which 
could only be solved by the winner of the competition (e.g. 5.2.3. 1, 5. 2. 3. 2). The 
proof of such tasks depends on the fact whether the ‘right’ prover was used. 

7 Beyond the Example 

In the previous sections, we have introduced concepts which allow to automat- 
ically check DAWN proofs for correctness. The experimental results have shown 
that this approach does work with reasonable response time for many examples. 
Still, there are examples which cannot be checked by the approach as it stands. 
Further techniques are needed to cope with the remaining examples. One issue 
are techniques for automated theorem provers which exploit the special structure 
of the generated proof obligations and the structure of theories in the realm of 
distributed algorithms. Here, we present first ideas which already suffice for the 
remaining obligations from our example. These ideas also indicate the direction 
of future research. Another issue are further DAWN rules — in particular rules 
that capture the intuition of concurrency. 

7.1 ILF: Combining the Power of Theorem Provers 

The proof obligations generated by DAWN proof rules are not directly present- 
able to theorem provers. The obligations are DAWN state formulas. Some provers 
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like Setheo, however, are restricted to unsorted clauses, i.e. to formulas of the 
form yli A • • • A An i?i V • • • V Bm where Ai and Bj do not contain any logical 
connector. In order to solve an obligation by a prover, a transformation from 
DAWN state formulas into the input formats of the different provers is neces- 
sary. Such a transformation must preserve the logical entailment properties. Our 
transformation is two-tiered and uses sorted first order logic as a medium layer. 
The first transformation step from state formulas into sorted first order formulas 
is staight-forward. The second step from sorted first order formulas into input 
formats of the provers, e.g. unsorted clauses for Setheo, requires much more 
effort. The techniques for prover-specific theory compilation, however, are well 
investigated and implemented as a part of the iLF-system. 

Ilf was developed to support formal proving of mathematical theorems by 
exploiting the power of existing automated theorem provers. Currently, the fol- 
lowing general purpose provers are supported by Ilf: Otter Spass Q, 
Setheo Q, and Protein Q. In order to prove a task, Ilf launches different 
provers in parallel for the same task and waits for an answer of at least one 
prover. If no prover can find a proof within a preset timelimit, Ilf provides sev- 
eral possibilities to simplify the proof tasks, such that a restart of the provers 
has greater chances for success. 

The Ilf user does not need to know the specifics of the integrated provers like 
formats for input files, etc. She only needs to know the syntax of Ilf theories, 
basically sorted first order logic. Ilf allows to find out suitable provers for a 
specific class of tasks. In case a ‘best’ prover does not exist, the parallel working 
mode allows to combine the advantages of all provers. 

The iLF-system is highly customizable. Its graphical user interface makes 
experiments with provers and theories easy. If needed, iLF-theories and proofs 
found by the provers can be obtained in a readable form as latex-files. A script 
language allows the user to simulate all user interactions and to run Ilf fully 
automatically. This property makes it easy to incorporate Ilf into other systems 
as a powerful deductional component Q. 

7.2 Techniques to Facilitate Obligation Proving 

As shown in Sect.^ the provers could not prove all obligations automatically 
without special preparations. The success rate of a prover mainly depends on 
an adequate formulation of the theory and the obligation. The search space is 
increased by a large theory with a lot of irrelevant axioms as well as by an oblig- 
ation which requires a long proof. There are some general techniques to tackle 
this problem. Here, we discuss two of them: theory selection and simplification. 
Both techniques require specific knowledge from the application domain and 
should be applied as a preprocessing, prior to the invocation of the provers. Ilf 
supports both techniques. 

Theory selection. The proof obligations are generated by DAWN proof rules. 
Often, all obligations belonging to one proof rule are solvable in a very similar 
way and need almost the same axioms. Examples are (1.1) - (1-5), (2.1) - (2.4), 
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and (3.1) - (3.3). The latter group of tasks could not be solved by any prover 
without a preprocessing (cf. Table 4). After selecting a suitable subtheory (4 
axioms) from the whole theory (25 axioms), the integrated provers could solve 
these tasks within a time less than one second. 

We guess that an appropriate subtheory for the obligations generated by some 
DAWN proof rule can be successfully re-used for another application of the same 
rule. Thus, the theory for a proof obligation is basically selected according to 
the DAWN proof rule which generated the proof obligation. 

Simplification. Due to their automatic generation, many obligations have a high 
potential for simplification. An example is obligation (3.2): Vx, y : [] -I- [(x, y)] = 
[(y, a;)] -I- []. Due to the axiom V6ay : [] -I- bag = bag, the left side can be 

simplified to [(a;, y)] and a new version \/x, y : [(a;, y)] = [{y, a;)] -I- [] can be used 
as an equivalent obligation. This version can even be further simplified using the 
axioms [] = [] and \/bag : bag -I- [] = Va;, y : [(a;, y)] = [(y, a;)]. 

Ilf automatically transforms simplification axioms into suitable rewrite rules 
for simplifying the proof obligations. During this process, 13 of the 21 obligations 
were simplified to true, i.e. they were completely solved by the simplification 
process. For these obligations, Ilf does not start provers, what considerably 
reduces the overall time of the verification. 

The search times for the ramaining obligations are shown in Tablefl (obliga- 
tions simplified to true are omitted) . Altogether, each of the obligations except 



Task 


Best prover 


Time in sec. 


Task 


Best prover 


Time in sec. 


(2.1) 


Setheo 


9.01 


(5.1) 


Spass 


3.17 


(2.2) 


Setheo 


0.01 


(5.2.2) 


Setheo 


0.02 


(2.5) 


Setheo 


0.02 


(5.2.3.1) 


Setheo 


0.08 


(4.1) 


— 


— 


(5.2.S.2) 


Setheo 


0.01 



Tables. Experimental results after simplification 



task (4.1) could be proved automatically. Task (4.1) cannot be simplified. Only 
after a manual theory selection, the prover Spass could find a proof in 115 
seconds. Task (4.1) is considerably harder to check than the other tasks. This 
task is generated by rule Weakening which, in contrast to other rules, does not 
exploit any net structure. Furthermore, task (4.1) does not contain other specific 
regularities. Proving task (4.1) makes intensive use of the underlying theory; it 
exploits multiset-theory and properties of operations -I-, >, and x in a rather 
complex way. This gives rise to a large search space. 

7.3 Further DAWN Rules 

Hitherto, we introduced as many DAWN rules as needed for the example. Al- 
though there are many more rules in DAWN other rules than those presen- 
ted here do not introduce new difficulties in theorem proving. This holds in 
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particular for partial order proof methods. We illustrate this by proof rule Co- 
Progress for partial order leads-to formulas 

Co-Progress t 

a : optional (default id) 

I : invariant 

1. {if} t.a {'ll}} 

2. ip ^ ENABLED(t.(r) 

3. for all t' G {C0NFLiCT(t.(r, t'.new)} t' Mew {ip} 

4. for all p S : / => p[x] < 1 
p Ip 

This rule suggests that the structure of proof obligations is the same for 
partial order properties. All other DAWN rules ^3 generate proof obligations 
of the same structure. Therefore, we argue that proof obligations for further 
DAWN rules can be automatically checked as well. 

8 Conclusion 

In this paper, we have bridged the gap between DAWN proofs and automated 
theorem provers by proof rules which are based on assertions and conflict for- 
mulas. The proof rules allow to automatically generate proof obligations from a 
DAWN proof. The experiments have shown that the generated obligations can 
be automatically checked by today’s theorem provers in reasonable time. 

Up to now, we generated the proof obligations by hand but according to 
the fixed scheme presented in this paper. Due to the positive experience with 
automatically checking the proof obligations, we have started to implement a 
tool which automatically generates the proof obligations and passes them to Ilf 
W ith this tool, DAWN proofs will be checked in an automatic way. 

DAWN is based on algebraic system nets. The approach presented in this 
paper, however, also applies to other high-level net classes such as Coloured 
Petri nets — provided that the underlying data types are specified by a first-order 
theory. 

Still, there are many theoretical and practical problems to be solved. Beyond 
the topics mentioned in Sect.^ us mention two further questions: 

— How can we give some advice on how to correct a proof, when the verification 
of an obligation fails? 

— Can we lift DAWN proofs to an even higher level of abstraction such that 
the correctness can still be checked automatically? 

These questions can only be answered, when we have finished the tool which 
allows us to investigate many more examples of distributed algorithms. 
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Appendix: Definitions and Notations 

Sets, families, and functions. By N, we denote the set of natural numbers with 0. For 
a set A, we denote the cardinality of A by |A|, and we denote the set of all non-empty 
finite sequences over A by A"*". A family of sets over some index set I is denoted by 
{Ai)i^i. The family {Ai)i^i is pairwise disjoint, iff for each i,j £ I with i ^ j holds 
Ai n Aj = 0. If A = {Ai)i^i is a family of sets, then the set [J^^jAi is often also 
denoted by A, for convenience. 

Bags. A bag over a fixed set A is a mapping M : A ^ N such that the set {x £ A \ 
M{x) 0} is finite. We write M[a\ instead of M{a) for the multiplicity of an element 
a in M . We define addition + and inclusion < of bags elementwise by (Mi -1- M2) [a] = 
Ml [o] -I- M2 [a] and Mi < M2 iff Va € A : Mi [o] < M2 [a] . The cardinality of a bag 
M is defined by |M| = M[o;]. The set of all bags over A is denoted by B(A). 

We represent a bag by enumerating its elements in square brackets: [ai, . . . ,an\. In 
particular, [] denotes the empty bag. 

Algebras and signatures. A signature SIG = {S, OP) consists of a finite set S of sort 
symbols and a pairwise disjoint family OP — (OPa)aes+ operation symbols. A SIG- 
algebra A — {{As)aes,{fop)opeOp) consists of a family A = (As)sgs of sets and a 
family (fop)opeOP of (total) functions such that for op £ we have fop : 

Aaj X ... X As„ ^ ^s„+i • A set As of an algebra is called domain and a function fop 
is called operation of the algebra. 

Variables and terms. For a signature SIG = (S', OP), we call a pairwise disjoint family 
X = (Xs)ags with X n OP = 0 a sorted SIG-variable set. Each term is associated with 
a particular sort. Let X = (As)ags be a sorted S/G-variable set. The set of SIG -terms 
over X of sort s is denoted by Tf^'^(X) and inductively defined by: (1) x £ Xa implies 
X £ Ta”^{X), and (2) Ui £ Tf|‘^(X) for i = 1, . . . ,n and op £ OPai...a„a„+i implies 
op(ui, . . . , Un) £. (A). The set of all terms (of any sort) is denoted by T'^^‘^(X). 

A term without variables is called ground term. We denote the set of ground terms by 
rj,siG ^ x'®^°(0) and the set of ground terms of sort s by Tf° = Tf°(0). 

Evaluation of terms. For a signature SIG = (S, OP), a sorted S/G-variable set X = 
{Xa)aes, and a S/G-algebra A = ((As)sgs, ifop)opeOp) a mapping /3 : X ^ A is an 
assignment for X iff for each s £ S and x £ Xa holds f3{x) £ Aa. We canonically 
extend /3 to a mapping fl : T‘®^'^(X) ^ A, called fl- evaluation, by /3(op(ui, . . . , Un)) = 
fop{P{ui), . . . ,P{un)) for op{ui,... ,Un) £ T'®^°(X). By //0 : 0 ^ A we denote the 
unique assignment for the empty variable set. 

Substitutions. Let X and Y be S/G-variable sets. A mapping a : X ^ T'®^‘^(y) is 
called substitution iS x £ Xa implies cr(®) (E Tf^'^(y). Analogously to evaluations, we 
also extend a substitution u to a mapping <j : T‘®^'^(X) ^ T‘®^'^(y) in order to apply 
it to terms. In case of y = 0, we call a ground substitution. For the composition of two 
substitutions a and r we write ar or a o r, i.e. we have ar(x) — a o t(x) — a(r(x)). 
Analogously, we write /3a or f) o a for the composition of an assignment f3 and a 
substitution a. 

Petri nets. A Petri net N = {P,T, F) consists of two disjoint sets P and T and a 
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relation F Q {P x T) U {T x P). An element of P is called place, an element of T is 
called transition, and an element of F is called arc of the net. A net is finite iff both, 
P and T, are finite. 

Occurrence nets. We start with some prerequisites. Let N = (P,T, F) be a net. 

1. For an element x € PUT of N we define the preset of xhy‘x = {yG PUT \ {y, x) € 
F} and the postset of x hy x* = {y G P U T \ (x,y) G F}. 

2. We define the minimal elements of N by °N = {x G P UT \ ‘x = %} and the 
maximal elements of N by N° = {x G P UT \ x‘ — %} . 

3. For X G Put we define the set of predecessorshy I x = {y G PUT \ (y,x) G F’”'’}, 
where F'^ denotes the transitive closure of the flow relation F. 

Runs are defined by help of oecurrence nets. An oceurrence net has two main features: 
The flow relation is acyclic and is not branching at places. Moreover, each element 
of an occurrence net has only finitely many predecessors. A net K — (B,E, <) is an 
occurrence net if 

1. °K UB and K° C B, 

2. °K is finite and for each e G E both, *e and e* are finite, 

3. for each b G B holds |*fo| < 1 and |6*| < 1, and 

4. for each b G B the set of predecessors J, 6 is finite and b ^ I b. 

For the sake of clarity, we use new symbols for places and transitions of an occurrence 
net. Moreover, we call a place of an occurrence net eondition and we call a transition 
event. Next we define the states of an occurrence net. Let K = (B, E, <) be an occur- 
rence net. For subsets of conditions Q,Q' 'T B we define the occurrence relation — > 
by: Q — > Q' iff there exists an event e G E such that *e C Q and Q' ~ {Q\ *e) U e*. 
The transitive and reflexive closure of — > is denoted by — >. For Q,Q' U B we say Q' 
is reachable from Q, if Q — > Q' . A subset of conditions Q C is a state of K, if Q is 
reachable from ° K. The set ° K is called the initial state of K . 

Runs of algebraic system nets. In a run, each condition of the occurrence net is as- 
sociated with some place of the algebraic system net along with an element of the 
corresponding domain. This is formalized as condition labelling. Let E be an algebraic 
system net with algebra domain A, and let K = {B,E, <) be an occurrence net. A 
mapping r : B ^ P x A\s & eondition labelling of K , iff for each b G B with r{b) = (p, a) 
it holds that a G As => p G Pbs(s)- 

For a given condition labelling r, each finite subset Q U B can be associated with a 
marking. We denote this marking by r{Q) and define it by r(Q) : P B(A) with 
^{Q){p)['A ~ \{b Q \ T{b) = (p, a)}|. An occurrence net together with a condition la- 
belling is a run of an algebraic system net, iff 

1. r{° K) = Mo, where Mo is the initial marking of E, and 

2. for each event e G E there exists an action t.p such that p{i(t)) = true, r(*e) = pt~ , 
and r(e*) = pt'^ . 

3. No action is enabled in r(K°) in any mode. 
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